Security Operations and Services (SOS)

May 2012 OUCH! Newsletter

Tue, 08 May 2012 13:48:19 -0500

Below is a link to the May 2012 OUCH! security awareness newsletter, produced by SANS. This month's topic is lead by Joshua Wright and focuses on safely disposing mobile devices: What are you doing with your older devices? Have they been securely wiped? What are your options for disposal?

The newsletter provides a good supplemental educational resource to any security awareness activities going on in your respective areas. Please feel free to share it with colleagues and staff, as appropriate.

OUCH! | May 2012 - Safely Disposing of Your Mobile Device (English)

Missed the April edition, need a translation, or want to check out more of the archives? Visit these links:
OUCH! | April 2012 - Metadata
OUCH! | Translations and Archives

SOS Ticketing System Error on 4/27/12

Fri, 27 Apr 2012 16:07:25 -0500

Between 2:43 p.m. and 2:56 p.m. on April 27, 2012 the SOS tracking system inadvertently sent out email messages about previously closed compromised host cases.

If you received a Summary Analysis message during this time frame, no action is required on your part. Please accept our sincere apologies for any inconvenience and/or stress that this error may have caused you.

April 2012 OUCH! Newsletter from SANS

Thu, 05 Apr 2012 16:18:40 -0500

Below is a link to the April 2012 OUCH! security awareness newsletter, produced by SANS. This month's topic is Metadata, led by James Tarala. The newsletter provides a good supplemental educational resource to any security awareness activities going on in your respective areas. Please feel free to share it with colleagues and staff, as appropriate.

OUCH! | April 2012 - Metadata (English)

Missed the March edition, need a translation, or want to check out more of the archives? Visit these links:
OUCH! | March 2012 - E-mail Dos and Don'ts
OUCH! | Translations and Archives

Security Conference 2012 Feedback and Thank You!

Tue, 03 Apr 2012 14:14:53 -0500

Thank you to all the speakers, vendors and Penn State faculty and staff that attended the 2012 Security Conference on Monday, April 2, and Tuesday, April 3, 2012. Both days of the conference were a great success and we look forward to seeing you all at future security training and awareness offerings!

We would love to hear your thoughts about the event. Please take a few minutes to complete our online feedback survey. We appreciate your comments to help us make future events an even bigger success.

If you have any additional questions, please send them to l-sos-events@lists.psu.edu.

Note: While the Security Conference was free for those who were registered and attended, be aware that individuals who registered and did not attend will have a fee charged to their departmental budget.

March 2012 OUCH! Newsletter from SANS

Mon, 19 Mar 2012 10:42:01 -0500

Below is a link to the March 2012 OUCH! security awareness newsletter, produced by SANS. This month's topic is e-mail dos and don'ts, led by Guest Editor Fred Kerby. The newsletter provides a good supplemental educational resource to any security awareness activities going on in your respective areas. Please feel free to share it with colleagues and staff, as appropriate.

OUCH! | March 2012 - E-mail Dos and Don'ts (English)

Missed the February edition, need a translation, or want to check out more of the archives? Visit these links:
OUCH! | February 2012 - Securing Your Mobile Device Apps
OUCH! | Translations and Archives

Registration Now Open for Penn State Security Conference 2012, April 2 and 3, 2012

Mon, 27 Feb 2012 13:43:49 -0500

Penn State faculty and staff are invited to attend the Penn State Security Conference 2012, scheduled for Monday, April 2, and Tuesday, April 3, from 8:00 a.m. to 5:00 p.m. at the Nittany Lion Inn, University Park, PA. The event is being sponsored by Security Operations and Services (SOS), a unit of Information Technology Services (ITS). The conference brings together security professionals to discuss today's most pressing security issues at Penn State and beyond.

Sessions on day one will focus on broader, more universal security topics, including new types of attacks, writing source code, securing operating systems and networks, and legal and ethical issues. Speakers external and internal to the University, as well as vendor presentations and displays will also be showcased. Day two presentations will cover
security issues specific to Penn State, and will address security technologies or processes being implemented in colleges, departments, or administrative units within the University. An agenda for both days is forthcoming and will be available at this link.

While this conference is a free event, registration for each day is required; attendees may register for either or both days by visiting the pages below:

Security Conference registration for Monday, April 2
Security Conference registration for Tuesday, April 3

Registration closes on Friday, March 23.

Those who register and then cannot attend should cancel registration prior to March 23 via the registration website or by sending notification to l-sos-events@lists.psu.edu after March 23. Please note that individuals who are registered and do not attend will be charged a fee to their departmental budget.

Due to limited seating, registration is on a first-come, first-serve basis. Both conference days will include a lunch buffet as well as refreshment breaks.

Inquiries and requests for assistance regarding this event should be directed to l-sos-events@lists.psu.edu.

February 2012 OUCH! Newsletter from SANS

Mon, 13 Feb 2012 08:51:06 -0500

Below is a link to the February 2012 OUCH! security awareness newsletter, produced by SANS. This month's topic is mobile app security, led by Guest Editor Kevin Johnson. The newsletter provides a good supplemental educational resource to any security awareness activities going on in your respective areas. Please feel free to share it with colleagues and staff, as appropriate.

OUCH! | February 2012 - Securing Your Mobile Device Apps (English)

Missed the January edition, need a translation, or want to check out more of the archives? Visit these links:
OUCH! | January 2012 - Securing Your Home Wi-Fi Network
OUCH! | Translations and Archives

Learning Tree's IPv6 Migration and Security

Tue, 20 Dec 2011 14:57:02 -0500

Security Operations and Services (SOS), a unit of Information Technology Services (ITS), is pleased to offer, at a significantly reduce rate, Learning Tree's IPv6 Migration and Security course. The five-day course is scheduled for January 23-27, 2012, from 8:00 a.m.-5:00 p.m. at the Penn Stater Conference Center Hotel, University Park, PA. The cost for the course is $250, which includes lunch each day. For those who plan to travel from other Penn State campus locations, a block of rooms has been reserved at the Penn Stater. When reserving a room, make sure to note the block code as LEAA12A.

Requests to attend should be directed to l-sos-events@lists.psu.edu. Spaces for the class are limited to 20 seats. Requests for attendance will be accepted until January 11. Accepted individuals will be notified by January 13 (as will those who remain on a waiting list). If the waiting list is large enough, SOS plans to offer a second class in February.

Inquiries and requests for assistance, as well as requests for course outline/content information, should be directed to l-sos-events@lists.psu.edu.

Registration Now Open for Aspect Security's Secure Coding for Adobe ColdFusion 9

Wed, 02 Nov 2011 13:20:23 -0500

Security Operations and Services (SOS), a unit of Information Technology Services (ITS) is offering to the Penn State community, at a significantly reduced rate, Aspect Security's "Secure Coding for Adobe ColdFusion 9." The three-day session will be held November 14 through November 16, 2011, from 9:00-5:00 p.m., at the Penn Stater Conference Center Hotel, University Park, PA. The cost for this training is $250.00, which includes lunch and morning and afternoon breaks. To register, visit our registration page. Please note that seating is limited.

Session details are available via the Aspect Security Curriculum Web page.

Inquiries and requests for assistance should be directed to l-sos-events@lists.psu.edu.

Information Security and You: Learn. Know. Protect.

Tue, 16 Aug 2011 16:25:53 -0500

This video series, "Information Security and You: Learn. Know. Protect.," is available to all Penn State students, faculty, and staff, by Security Operations and Services (SOS), a unit of Penn State Information Technology Services (ITS). The series of online educational videos is provided to the Penn State community through a series produced by The SANS Institute, a cooperative research and education organization. Established in 1989, the SANS Institute develops security-training programs that reach more than 165,000 system and security professionals around the world.

The videos have been designed to provide quick, effective awareness messages about a variety of information security-focused topics, such as creating strong passwords, using social media tools more safely, wireless security, smartphone/handheld security, as well as policies and laws. The videos are not intended to replace training programs or course work, but are meant to serve as a supplemental educational resource, as well as foster broader information technology security awareness across the University.

The videos are housed in ANGEL to help faculty members and instructors easily reference them in their respective courses. Options and instructions for using the videos with a course or group are found in the ITS KB article at http://kb.its.psu.edu/article/1672/.

Inquiries and requests for assistance should first be directed to the ITS Help Desk staff at helpdesk@psu.edu.

SANS Security 546 - IPv6 Essentials

Tue, 24 May 2011 11:20:59 -0500

Security Operations and Services (SOS), a unit of Information Technology Services (ITS) is pleased to announce that Penn State will serve as a remote host site for the SANS Security 546 - IPv6 Essentials course, taught by Johannes Ullrich, Ph.D. Dr. Ullrich will teach the course live from the University of New Mexico, and Penn State will join the course via video. This course will be offered to the Penn State community free of charge to the first 70 registrants. The class will be broadcast in 108 Wartik on the University Park campus from 10:00 a.m. to 6:00 p.m. on Monday, June 20th, 2011. Employees located at other Penn State campuses who would like to participate may join the session remotely.

IPv6 is here now and presents its own unique technical and security challenges. Whether the planning and implementation in your area is mature or just beginning, this class will provide detailed information and practices crucial to your success. Everyone involved in system and network operations can benefit from attending.

A description of the course is available on the SANS website. Additional details will be made available once the official agenda is released.

Please note that a properly configured laptop is required. Laptop requirements can be reviewed on the course description page. Please also note, per the registration instructions below, that attendees must select to PAY BY CHECK in order for the billing to be handled correctly and so that a charge is not imposed to one's University area.

To register visit the SANS course registration page and follow the instructions below:

Select Penn State from the locations, and choose K-12 & Higher Education as your employment status.
Enter your information on the registration form and submit it to reach the billing screen.
On the billing screen, click , located toward the bottom of the screen.
Send the $365 invoice to Kathy Deck at kab4@psu.edu, who will handle and process the registration fee. If you are joining remotely from another Penn State campus, please indicate this on the invoice.

NOTE: If you register and cannot attend (or send a substitute), your department will be billed $365, which covers the cost of registration and materials.

Inquiries and requests for assistance should be directed to l-sos-events@lists.psu.edu or 814-863-9533.

Registration Now Open for Aspect Security's Building and Testing Secure Web Applications

Fri, 15 Apr 2011 16:29:52 -0500

Security Operations and Services (SOS), a unit of Information Technology Services (ITS) is offering to the Penn State community, at a significantly reduced rate, Aspect Security's "Building and Testing Secure Web Applications." The two-day session will be held on May 24 and 25, 2011, from 9:00-5:00 p.m., at the Penn Stater Conference Hotel, University Park, PA. The cost for this training is $250.00, which includes lunch and morning and afternoon breaks. To register, visit our registration page. Please note that seating is limited.

Session details are available via the Aspect Security Curriculum Web page.

For those who plan to travel from other Penn State campus locations, a block of six rooms have been reserved at the Penn Stater. When reserving a room, make sure to note the block code as ASPE11B.

Inquiries and requests for assistance should be directed to
l-sos-events@lists.psu.edu.

Browser Features for Privacy and Security

Mon, 14 Mar 2011 14:54:44 -0500

There are several types of threats that can affect the security of your computer and your personal privacy while browsing the web. Malware has become fairly commonplace and can be activated by simply navigating to a page with a malicious advertisement. The tools to build malware and snoop network traffic are also common and very easy to use. While the following steps do not guarantee against infection or privacy leaks, they do help mitigate many of the most common threats.

Network Risks

The introduction of Firesheep last year made it painfully obvious that it is easy to view someone else's web-browsing sessions when on unsecured networks. This type of attack allows another user on the network to use your account as long as you remain logged in. The best way to prevent someone from using your session data without your knowledge is to only use secure HTTPS sites when you are on an unencrypted network. Many of the sites targeted by Firesheep now offer secure sockets layer (SSL) encryption for the entire session, but if you use sites that don't offer full SSL sessions, or only use SSL during the login process, there are precautions you can take to further protect yourself.

Firefox
The HTTPS Everywhere add-on rewrites requests for many sites that offer partial HTTPS services to make sessions fully encrypted. The NoScript add-on also has a feature allowing one to specify which sites should be forced to communicate using HTTPS.
IE, Chrome, Safari, and Opera
While there is some development along these lines for Chrome and Opera, there are no suitable extensions to force full HTTPS sessions in these browsers.

Scripting Risks

Most of the web pages you visit today are a collage of content from several different sources. It is very unlikely that every site you visit has fully examined the scripts running in all of the advertisements and third-party services on their pages, due to the rapid update cycle on popular sites. For example, when you go to CNN.com, you receive content from at least four other web servers. One of the most commonly exploited vulnerabilities on many sites is known as cross-site scripting (XSS). XSS usually involves a specially-crafted link that takes advantage of vulnerable code on websites or outdated browsers and plug-ins. When you click that link, scripts can be arbitrarily run on your computer. Sometimes, one only needs to view the page containing the malicious ad to activate the script. Consequently, it is very important to keep your browser and all of the associated plugins, like Adobe Flash, Adobe Reader, Java, Adobe Shockwave, Microsoft Silverlight, etc., up-to-date. All major browsers allow you to disable Java and JavaScript, and build whitelists for sites you trust to run scripts on your computer. This can be a difficult process, but there are add-ons that can help.

Firefox
The NoScript add-on blocks all scripting on a web page, and allows you to selectively choose which scripts should run. For example, you can choose to play an Adobe Flash video on a page without allowing any of the advertising scripts to execute. It also provides options for permanent whitelisting and temporary permissions for scripts.
Internet Explorer 8 (IE8)
IE8 contains an XSS Filter which blacklists many known XSS vulnerabilities. This is not as comprehensive as NoScript's capabilities, but is worth implementing if you use Internet Explorer.
Opera
BlockIt is a userscript for Opera that blocks scripts and allows for selective execution after a page loads.
Chrome
If you choose to disable Java and JavaScript in Chrome, when you visit a site that wants to run a script, you are prompted to continue blocking or allow the site. This makes whitelisting easier, but does not allow the same granularity and temporary permissions provided by NoScript or BlockIt.
Safari:
There are no options beyond disabling Java and JavaScript.

Protecting Your Privacy

Before we get into technical tools, the best way to protect your privacy is to give out as little of your personal information as possible. Be very careful about giving your address, Social Security number, or any financial information. If you choose to provide this information on a website, verify that it uses SSL. If something doesn't look or feel right, use the phone or find a more trustworthy vendor.

When you browse the web, your browser utilizes "cookies" &endash; small data files that keep track of the sites you visit, and what you do with those sites. When you visit a site, you may get additional cookies from advertisers and the site's partners. Most browsers allow you to reject these third party cookies, and doing so generally does not affect your browsing experience. In addition to the cookies your browser stores and controls, plug-ins like Adobe Flash also store local storage objects (LSOs), which are like cookies but much larger. Since your browser is unaware of where these are stored or how they are used, they are difficult to find, manage, and delete. There are add-ons that can help manage and remove these LSOs.

Firefox
Ghostery is an add-on that finds LSOs, provides information about the sites that set them, and allows you to delete them automatically if you choose. The Better Privacy add-on is similar, but is more of a "set-and-forget" tool that removes LSOs when you exit your browser or after a certain amount of time.
IE, Chrome, Safari
Ghostery is available for these browsers as well.
Opera
Does not have have any extensions for managing LSOs at this time.

Best Practices for Passwords

There have been several high-profile, embarrassing compromises where attackers were able to jump from one account to the next because passwords were easily cracked, and were reused between sites. Given the number of accounts the average web user has, keeping different passwords for every site can be very difficult, especially if they are sufficiently complex. There is an excellent web service called LastPass that works with all of the major browsers and mobile platforms. It allows you to have a single password for managing all of your online accounts. It can generate complex passwords, automatically fill forms, and remember new accounts as you sign up for them. LastPass stores your information in an encrypted format. Of course, this is a single point of failure and can lock you out of all your accounts if you forget your LastPass password or if the site goes down, so plan to securely keep a copy of your passwords outside of LastPass. In the event that any of the previous issues affect you or your computer, if you manage your passwords wisely, the extent of the damage would be very limited.

Register now for Security Training Opportunities

Wed, 02 Mar 2011 11:53:54 -0500

Security Operations and Services (SOS), a unit of Information Technology Services (ITS) is offering to the Penn State community, at a significantly reduced rate, two security-oriented Learning Tree training sessions. The sessions and session dates, noted below, will be held at the Penn Stater Conference Hotel, University Park, PA, from 9:00-5:00 p.m. The cost for each session is $250.00, which includes lunch, and morning and afternoon breaks.

For those who plan to travel from other Penn State campus locations, a block of six rooms have been reserved at the Penn Stater. When reserving a room, make sure to note LEAC11B for the UNIX/Linux course and/or CISD11A for the CISSP course.

To register, visit the SOS registration page. Please note that seating is limited. Inquiries and requests for assistance should be directed to l-sos-events@lists.psu.edu.

Session Details:

UNIX® and Linux® Security: Hands-On
March 21-24, 2011
The UNIX family of operating systems, including the Linux versions, is prized by IT professionals for its flexibility and openness. However, vulnerabilities can make UNIX systems susceptible to information assurance threats. In this course, you gain the skills needed to secure your UNIX and Linux platforms. You learn to use tools and utilities to assess vulnerabilities, detect threats and provide effective access controls. Additional details are available at Learning Tree's course description.

The (ISC)2® CISSP® CBK® Review Seminar
April 25-29, 2011
This course provides a comprehensive overview of information security concepts and industry best practices and is the only review course endorsed by (ISC)2. In this course, you cover the ten CISSP domains as outlined in the (ISC)2 CBK and analyze the latest information-system security issues. You also develop an individual study plan to enhance your exam preparation skills. Additional details are available at Learning Tree's course description.

EDUCAUSE & HEISC Security Poster & Video Contest for Students

Tue, 08 Feb 2011 10:20:25 -0500

from the EDUCAUSE website:

Information Security Awareness Student Poster & Video Contest

Win cash, gain experience, and earn national recognition with a poster or one short video!

The EDUCAUSE & Internet2 Higher Education Information Security Council (HEISC) is conducting a contest in search of short information security awareness videos and posters developed by college students for college students. The contest seeks creative, topical, and effective posters and videos of two minutes or less that focus attention on information security problems and how best to handle them.

Winners will receive cash prizes, and their videos and posters will be featured on the HEISC website (www.educause.edu/security). The winning videos and posters may be used in campus security awareness campaigns.

A gold, silver, and bronze prize will be awarded in three categories--training films of two minutes or less, 30-second public service announcements (PSAs), and posters--for a total of nine cash prizes. Honorable mention prizes will also be awarded.

Cash prizes

Gold: $1,500

Silver: $1,000

Bronze: $500

Deadline: March 11, 2011.

For more information, visit http://www.educause.edu/SecurityVideoContest2011.

Good luck!