• Like
  • Save
Information Security Awareness Training by Wilfrid Laurier University
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Information Security Awareness Training by Wilfrid Laurier University

  • 1,758 views
Published

 

Published in Business , Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,758
On SlideShare
0
From Embeds
0
Number of Embeds
6

Actions

Shares
Downloads
0
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Information revolution since 1980’s. 21st century is information century. All business are using information to process, develop and compete.
    More and more vulnerabilities and found in technology, as seen on news, websites. Billions dollars were paid for id theft in USA in 2005. Industry espionage, stealing credit card number, Denial of Service attack.
    Impact to business, financial impact, staff morale effect, reputation and public image damage. Add examples
    University of Minnesota lost 2 computers, with more than 13,000 students records and over 600 social security numbers in the hard drive, university is providing a mandatory data security training for all staff.
    University of California, Berkeley lost a laptop from its graduate school admission office, exposing 98,000 people’s personal information
    Strength the house before storm comes
  • Unlicensed software leads to litigation, money loss, possible malicious code
    New viruses emerge everyday, old version of definition file can not protect your computer against them, virus can be propagated though floppy, usb, cd ect. If the CD is made to autorun, the installation shall be interrupted, the whole CD shall be scanned before the installation starts.
  • At least, keep your pc silent when attackers call you by ping.
  • Here are the Firewall options
  • Once new vulnerabilities are released, they are playground for script kids, who grab attack tools and try them for curiosity
  • Why password? It is not a useless but must go step, it is a lock to your information treasure box. If your password is too weak, than your treasure is likely be stolen. It provides authentication, authorization and accountability.
    Authentication: Who you are, how you can prove that
    Authorization: You access privileges according to whom you claimed you are, i.e. your profile
    Accountability: For auditing, the activities under your account are your responsibilities
    Good password: (@t&d09S, D1(ti0n@ry, Q6f^01d
    The quick brown fox jumps over the lazy dog
    Bad password: access, password, admin, qwerty, asdfgh, 123456, ottffs
  • Identify the difference between a home computer and business computer, personal purpose and business purpose
    ITS will not take any responsibility if personal data (ex. Credit card number ) lost because of non-business purpose usage.
    Screen saver, crtl-alt-del combination
    Your data will be lost completely if your computer is stolen, which is more important/expensive then the computer itself, your windows password does not work anymore, it can be bypassed easily,
    For software/ hardware instruction requirement, contact help desk instead of exploring with risks
    Some wrong actions could lead massive results,
    Configure back up in office suite, and manually back up to usb drive, floppy disk.
    Client/server system users (such as Banner users) do not have to worry the data in Banner servers, because they are backed up by ITS.
  • If your computer slows down, contact ITS, it is not security applications’ fault
    With physical access to a computer, key loggers, trojan software, (Back Orifice, VNC etc.) can be installed, data can be copied, modified, deleted…
    ITS does not need your password to perform any work, in any case it is needed, you will be asked to type it rather than tell it
    Personal computer device is not supposed to be used at your work. And ITS does not support it.
    Wireless connection is not safe, the data can be easily sniffed and cracked even with WEP/WPA protection, it can only be used for browsing, but not for any kind of login, and transferring confidential data
    Please contact ITS if any software is required, ITS can provide anti-executable, which will prevent unnecessary software being installed without authorization, $10 per year;
    Students Union and PPNP have implemented this, and the users are fairly happy with it
    ITS won’t send emails with attachments, Banks won’t do that too. Call help desk to verify the email account when necessary, suggest to convert to GroupWise for its feature of handling spam
    While Xmas is coming, more and more online frauds are coming with Santa
  • Google the keyword or lookup in http://www.trendmicro.com/vinfo/hoaxes/default.asp, to verify this.
    Usually, an email with “Urgent” in Subject, is positive.
  • Social Engineering is the acquisition of sensitive information or inappropriate access privileges by an outsider, based upon the building of an inappropriate trust relationship with insiders.
    The goal of social engineering is to trick someone into providing valuable information or access to that information
  • If you cannot personally identify a caller who asks for personal information about you or anyone else (including badge number or employee number), for information about your computer system, or for any other sensitive information, do not provide the information. Insist on verifying the caller’s identity by calling them back at their proper telephone number as listed in your organization’s telephone directory. This procedure creates minimal inconvenience to legitimate activity when compared with the scope of potential losses.
    Remember that passwords are sensitive. A password for your personal account should be known ONLY to you. Systems administrators or maintenance technicians who need to do something to your account will not require your password. They have their own password with system privileges that will allow them to work on your account without the need for you to reveal your password. If a system administrator or maintenance technician asks you for your password, be suspicious.
    Systems maintenance technicians from outside vendors who come on site should be accompanied by the local site administrator (who should be known to you). If the site administrator is not familiar to you, or if the technician comes alone, it is wise to give a call to your known site administrator to check if the technician should be there. Unfortunately, many people are reluctant to do this because it makes them look paranoid, and it is embarrassing to show that they do not trust a visitor.

Transcript

  • 1. Information Security Awareness Training
  • 2. Why Information Security? Information is a valuable asset for all kinds of business More and more information related crimes happen Information leakage, damage will impact, even finish business
  • 3. Do’s and don’ts Do use licensed and supported software Do have anti-virus tool, keep it up to date, and scan portable media before usage
  • 4. Verify your Anti-virus is up to date
  • 5. Verify your Anti-virus is up to date
  • 6. Do’s and don’ts (continued) Do have your Personal Firewall set to ON
  • 7. Verify your Personal Firewall is ON
  • 8. Verify your Personal Firewall is ON
  • 9. Verify your Personal Firewall is ON
  • 10. Verify your Personal Firewall is ON
  • 11. Configure Screen Saver
  • 12. Configure Screen Saver
  • 13. Do’s and don’ts (continued) Do keep Windows XP security patches up to date Do keep software up to date Do choose a strong password, change it periodically, and make sure that you are the only person that knows it
  • 14. Pa55VV0RD!! Don't use your login name in any form Don’t use word or words contained in any language dictionary Don't use numbers significant to you or someone close to you, or associated with the University Don't use passwords based on simple keyboard patterns Remember it or keep it in a protected place, such as a locked safe
  • 15. Do’s and don’ts (continued) Do use Laurier’s resources for business purposes, please! Do lock your screen/computer when unattended For laptop users, do keep your eyes on it, use chain locks when necessary Do contact the ITS Help Desk when necessary Do report incidents, abnormal things to designated people, and leave the scene untouched if don’t know what to do Do back up your documents Do think about IT security on a regular basis
  • 16. Do’s and don’ts (continued) Do not shut down security applications on your computer, including anti-virus tool, Firewall, automated update etc Do not let unknown people touch your computer, feel free to challenge his/her ID when necessary Do not give out your password to anyone, including ITS staff Do not provide your password in an email reply Do not connect personal computing devices to the WLU wired network Do not use insecure wireless connections Do not open an email attachment unless you are certain of the veracity of its contents Do not open an unknown website or URL unless you are certain of its veracity
  • 17. Example
  • 18. Example
  • 19. Example
  • 20. Example
  • 21. Example
  • 22. Social Engineering Social Engineering is the acquisition of sensitive information or inappropriate access privileges by an outsider, based upon the building of an inappropriate trust relationship with insiders The goal of social engineering is to trick someone into providing valuable information or access to that information
  • 23. Suggestion 1 If you cannot personally identify a caller who asks for personal information about you or anyone else, for information about your computer system, or for any other sensitive information, do not provide the information. Insist on verifying the caller’s identity by calling them back at their proper telephone number as listed in telephone directory. This procedure creates minimal inconvenience to legitimate activity when compared with the scope of potential losses.
  • 24. Suggestion 2 Remember that passwords are sensitive. A password for your personal account should be known ONLY to you. Systems administrators or maintenance technicians who need to do something to your account will not require your password. They have their own password with system privileges that will allow them to work on your account without the need for you to reveal your password. If a system administrator or maintenance technician asks you for your password, be suspicious.
  • 25. Suggestion 3 Systems maintenance technicians from outside vendors who come on site should be accompanied by the local site administrator. If the site administrator is not familiar to you, or if the technician comes alone, it is wise to give a call to your known site administrator to check if the technician should be there. Unfortunately, many people are reluctant to do this because it makes them look paranoid, and it is embarrassing to show that they do not trust a visitor.
  • 26. Thanks for your time ! Any questions or suggestions? To download this slides, go to computersecurity.wlu.ca, Security Awareness Training Recommend : Tips of The Day Guidelines to Password Selection Grant Li Ex. 2797 Email: gli@wlu.ca