Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
Pci compliance training agents
1. SET
INFORMATION SYSTEMS AND
DATA SECURITY AWARENESS
PROGRAM
FUSION BPO SERVICES, Inc.
2. SET
'Information is an asset which, like other
important business assets, has value to
an organization and consequently needs
to be suitably protected’
3. SET What is Information Systems and Data
security Policy?
Can be defined as rules that regulate how an
organization manages and protects its internal
information, external customer or clients
information and computing resources.
Why do we need Security Policy?
The policy tells the users, staff, managers, what they
can do, what they cannot do and what they must
do to comply with the Security Policy and Practice.
Purpose:
To ensure business continuity by reducing/minimizing
damage to the business by safeguarding the
confidentiality, integrity and availability of
information.
4. Why do I need to learn about computer
SET
security?
Isn’t this just an IT Problem?
Everyone who uses a computer needs
to understand how to keep his or her
computer and data secure.
13
5. SET Why I Need Information Security Training
Security Awareness is a critical part of an
organization's information security program; it is
the human knowledge and behaviors that the
organization uses to protect itself against
information security risks. Humans, just like
computers, store, process and transfer information.
As a result many attackers today target the human,
bypassing most security controls and using
techniques such as social engineering to get the
information they want. Awareness, not just
technology, is now a key factor in an organization's
goal to:
Reduce risk,
Protect its reputation,
Improve governance, and
Be compliant.
5
6. SET Why I Need Information Security Training
Security Awareness Training is designed to educate
users on the appropriate use, protection and
security of information, individual user
responsibilities and ongoing maintenance necessary
to protect the confidentiality, integrity, and
availability of information assets, resources, and
systems from unauthorized access, use, misuse,
disclosure, destruction, modification, or disruption.
The long term benefits to your organization of a
successful security awareness program include
enhanced awareness, increased security and
improved online productivity for employees and the
company as a whole.
6
7. SET
What Is Information Security
The quality or state of being secure to be free
from danger
Security is achieved using several strategies
simultaneously or used in combination with
one another
Security is recognized as essential to protect
vital processes and the systems that provide
those processes
Security is not something you buy, it is
something you do
8. SET
What Is Information Security
The architecture where an integrated
combination of appliances, systems and
solutions, software, alarms, and vulnerability
scans working together
Monitored 24x7
Having People, Processes, Technology,
policies, procedures,
Security is for PPT and not only for appliances
or devices
9. SET
INFORMATION SECURITY
1. Protects information from a range of
threats
2. Ensures business continuity
3. Minimizes financial loss
4. Optimizes return on investments
5. Increases business opportunities
10. SET
Security breaches leads to…
• Reputation loss
• Financial loss
• Intellectual property loss
• Legislative Breaches leading to legal actions
(Cyber Law)
• Loss of customer confidence
• Business interruption costs
LOSS OF GOODWILL
11. SET
What is Risk?
Risk: A possibility that a threat exploits a
vulnerability in an asset and causes
damage or loss to the asset.
Threat: Something that can potentially
cause damage to the organization, IT
Systems or network.
Vulnerability: A weakness in the
organization, IT Systems, or network that
can be exploited by a threat.
12. SET
Good security practices follow the
“90/10” rule
10% of security safeguards are technical
90% of security safeguards rely on us – the
user - to adhere to good computing practices
12
13. SET
What are the consequences of security
violations?
Disciplinary action (up to expulsion or termination)
Embarrassment to yourself and/or the Company
Having to recreate lost data
Identity theft
Data corruption or destruction
Loss of patient, employee, and public trust
Costly reporting requirements and penalties
Unavailability of vital data
13
15. SET Passwords
Your password is your key to OC Inc
Fusion BPO Services data and resources.
Remember: Carelessness is Dangerous!
If you receive a phone call from someone claiming that they are
a contractor working with IT Security, would you give them your
password? NO!
How many of you have written your password down? What did
you do with the paper? Is it tucked safely and securely away?
If it is in the first place you would look (like under the
keyboard) – someone else would look there too!
15
16. SET Password construction and
Management
When selecting a password, you may naturally want to choose
something easy to remember. But, if it is easy for you, it may
be easy for some one else to crack!
A password should not be:
Your name or any family members name, to include pets!
Your street name, car type, favorite singer, etc.
Any easily guessed or recognized name or word
Your previous password with a sequentially increased
number at the end.
16
17. SET
Password construction and
Management
A password should be:
A mixture of letters (both upper and lower case) and
numbers and/or special characters
At least eight characters long, preferably longer
– for example iH8TDieTs is a very good password. It
has capitals, lower case, and numbers. AND…. It isn’t
too tough to remember. Just say: I hate diets.
A password should never be:
…Taped to a monitor or keyboard or desk or desk
accessory or any where visible
…Shared with ANY ONE – NOT EVEN A
SUPERVISOR!
17
19. SET
Email Usage
Some experts feel email is the biggest security
threat of all. This is the fastest, most-effective
method of spreading malicious code to the largest
number of users. It is also a large source of wasted
technology resources.
Examples of Waste:
Electronic Greeting Cards
Chain Letters
Jokes and graphics
Spam and junk email
19
20. SET
Pitfalls to email
1. Email is NOT secure – It is essential to
understand that email does not go directly to the
intended recipient. It is routed through various
systems first. Remember, it is not impervious to
prying eyes!
2. Email is open to abuse – Scams, mass
mailings, junk mail, and deceptive advertising can
be delivered to your computer mail box as easily
as your home mail box.
3. Email is potentially harmful – this is the
easiest, most effective conveyance of malicious
code.
20
21. SET Should You Open the E-mail
Attachment?
If it's suspicious, don't open it!
What is suspicious?
Not work-related
Attachments not expected
Attachments with a suspicious file extension
(*.exe, *.vbs, *.bin, *.com, *.scr, or *.pif)
Web link
Unusual topic lines; “Your car?”; “Oh!” ; “Nice
Pic!”; “Family Update!”; “Very Funny!”
21
22. SET E-Mail Security – Risk Areas
1. Spamming. Unsolicited bulk e-mail, including commercial
solicitations, advertisements, chain letters, pyramid schemes, and
fraudulent offers.
Do not reply to spam messages. Do not spread spam.
Remember, sending chain letters is against policy.
Do not forward chain letters. It’s the same as spamming!
Do not open or reply to suspicious e-mails.
2. Phishing Scams. E-Mail pretending to be from trusted names,
such as Citibank or PayPal or Amazon, but directing recipients to
rogue sites. A reputable company will never ask you to send your
password through e-mail.
3. Spyware. Spyware is adware which can slow computer processing
down; hijack web browsers; spy on key strokes and cripple
computers
22
23. SET E-mail Usage
Use official mail for business purposes only
Follow the mail storage guidelines to avoid blocking of E-mails
If you come across any junk / spam mail, do the following
a) Remove the mail.
b) Inform the security help desk
c) Inform the same to server administrator
d) Inform the sender that such mails are undesired
Do not use official ID for any personal subscription purpose
Do not send unsolicited mails of any type like chain letters
or E-mail Hoax
Do not send mails to client unless you are authorized to do
so
Do not post non-business related information to large
number of users
Do not open the mail or attachment which is suspected to
be virus or received from an unidentified sender
23
24. SET Internet Usage
Use internet services for business purposes
only
Do not access internet through dial-up
connectivity
Do not use internet for viewing, storing or
transmitting obscene or pornographic material
Do not use internet for accessing auction sites
Do not use internet for hacking other computer
systems
Do not use internet to download / upload
commercial software / copyrighted material
Technology Department is continuously monitoring Internet
Usage. Any illegal use of internet and other assets shall call
for Disciplinary Action.
24
25. SET
Physical Security
Would you leave your credit card exposed or unattended in a public
place? Do you lock your car? Secure your wallet or purse?
Take those same precautions with your PC!
Log off or lock your PC when unattended.
Shutdown your PC when you leave for the day…EVERYDAY!
Lock doors in accordance with Fusion BPO Services Policy.
Secure your Password!!!!
25
26. SET Access Control - Physical
Follow Security Procedures
Wear Identity Cards and Badges at all times
Ask unauthorized visitor his credentials
All visitors must be escorted while onsite
• Bring visitors in operations area without prior
permission
• Bring hazardous and combustible material in
secure area
• Practice ―Piggybacking‖
• Bring and use pen drives, zip drives, iPods,
other storage devices unless and otherwise
authorized to do so
26
27. SET
Unique User Log-In / User Access Controls
Access Controls:
Users are assigned a unique “User ID” for log-in
purposes
Each individual user’s access to OC Inc./Fusion BPO
Services system(s) is appropriate and authorized
Access is “role-based”, e.g., access is limited to the
minimum information needed to do your job
Unauthorized access to OC Inc./Fusion BPO Services by
former employees is prevented by terminating access
User access to information systems is logged and
audited for inappropriate access or use.
27
28. SET Workstation Security
Workstations
Physical Security measures include:
Disaster Controls
Physical Access Controls
Device & Media Controls
Log-off before leaving a workstation unattended.
This will prevent other individuals from accessing secured data under
your User-ID and limit access by unauthorized users.
Lock-up! – Offices, windows, workstations, sensitive papers and
PDAs, laptops, mobile devices / media.
Lock your workstation (Cntrl+Alt+Del and Lock) – Windows XP, Windows 2000
28
29. SET
Antivirus and Firewall
Make sure your computer has
anti-virus, anti-spyware and
firewall protection as well as
all necessary security patches.
Don’t install unknown or
unsolicited programs on your
computer
29
30. SET
Report Security Incidents
You are responsible to:
Report and respond to security
incidents and security breaches.
Know what to do in the event of a
security breach or incident related to
Data Security and/or Personal
Information.
Report security incidents & breaches
to:
IT Security Team
30
31. SET
Your Responsibility to Adhere to OCI Security-
Information Security Policies
Users of electronic information resources are
responsible for familiarizing themselves with
and complying with all company policies,
procedures and standards relating to
information security.
Users are responsible for appropriate handling
of electronic information resources.
31
32. SET Why can’t I play games online?
On- Line Gaming on a company computer is against company
policy.
Playing games on a company computer is forbidden.
Gaming sites, like MP3 download sites, are good places to pick up
a virus. Script kiddies and hackers swarm around these sites like
vultures. They use all the tricks of their trade to glean password
and network information from gamers.
This is easy to avoid. Don’t do it!
32
33. SET Types of sites to avoid and WHY
Corporate sites that have a vested interest in protecting and maintaining
public trust are more vigorous in protecting visitor’s email addresses
and information. For example, sites such as CNN and Headline News
want visitors to feel confident and comfortable on their web sites – so
they will take measures to secure their sites. However, many other
sites do NOT take measures to protect visitor’s data. In fact, they are
notorious for harvesting and selling such data.
Please do not use your OC Inc. Fusion BPO Services computer or
email address for joke sites, dating sites, horoscopes, chat rooms, free
grocery coupons and other related sites. Sites promising free goods and
vacations and fun – good ones to put on the NO GO list.
These are all easy to avoid and you will likely reduce your junk mail as
well..
33
34. SET Common Terminology
What is a cookie? Cookies are small text files that some Web
sites create when you visit. The file is used to store information
on your computer.
What does encrypted mean? The translation of data into a
secret code. Encryption is the most effective way to achieve data
security. To read an encrypted file, you must have access to a
secret key or password that enables you to decrypt it.
Unencrypted data is called plain text ; encrypted data is referred
to as cipher text.
What is a virus? A virus is a piece of code that is written
specifically to execute itself without the users knowledge or
permission. It will usually attach itself to a file in order to
replicate and spread itself. Some viruses are harmless while
others can cause serious damage.
34
35. SET Common Terminology cont.
What is a Phishing? The act of sending an e-mail falsely
claiming to be an established legitimate enterprise in an attempt
to scam the user into surrendering private information that will
be used for identity theft. The Web site, however, is bogus and
set up only to steal the user’s information.
What is spam? Electronic junk mail. Spam is generally e-mail
advertising for some product sent to a mailing list or newsgroup.
In addition to wasting people's time with unwanted e-mail, spam
also eats up a lot of network bandwidth. Some ISP’s, such AOL,
have instituted policies to prevent spammers from spamming
their subscribers.
What is an audit trail ? A record showing who has accessed a
computer system and what operations he or she has performed
during a given period of time.
35
36. SET
Common Terminology cont.
What is Unauthorized Access?- Any time a user
gains access to a computer network without the
consent of the computer's administrator.
What is Access Control-The prevention of
unauthorized use of information assets. It is the
policy rules and deployment mechanisms, which
control access to information systems, and physical
access to premises.
Compliance- Adherence to those policies,
procedures, guidelines, laws, regulations and
contractual arrangements to which the business
process is subject.
Malicious Software: Software, for example, a
virus, designed to damage or disrupt a system.
36
37. SET
Common Terminology cont.
Password: Confidential authentication information
composed of a string of character
Server: A server is a computer system, or a set of
processes on a computer system providing services
to clients across a network.
User: A person or entity with authorized access.
Protected Information: Any participant or client
information that the Department may have in its
records or files that must be safeguarded pursuant
to Department policy. This includes but is not
limited to "individually identifying information".
37
38. SET
Common Terminology cont.
Integrity: The property that data or information have
not been altered or destroyed in an unauthorized
manner.
FTP (File Transfer Protocol): A protocol that allows for
the transfer of files between an FTP client and FTP
server.
Disclose: The release, transfer, relay, provision of
access to, or conveying of client information to any
individual or entity outside the Department.
Confidential Information: Any client information
(defined above) that OC Inc may have in its records or
files on any OC Inc client that must be safeguarded
pursuant to OC Inc policy. This includes, but is not
limited to, “individually identifying information”
38
40. SET
Problems Hackers Cause
A hacker intrusion could create a legal liability and public
embarrassment for you and your organization
Vandalism—Destruction or digital defacement of a
computer or its data for destruction’s sake
Theft—Gaining access to intellectual or proprietary
technology or information, sometimes for resale
Hijacking—Many of the financially motivated hackers are
interested in remotely controlling PCs
Identity theft—Electronic theft of personal info that can
be used to steal financial resources
Terrorism—Some experts believe that terrorists will
eventually launch an attack using hacking techniques
40
41. SET
Malware
Malware – (aka Crime ware and Computer
Contaminant) is any program which can corrupt
files and/or secretly report your information from
your computer or network
Viruses, Worms, Trojans, and Spyware are the
most common types of malware
Many of these destructive programs attempt to
reinstall and replicate themselves and are designed
to be very difficult to remove from the host
computer
41
42. SET Malware
Virus ‐ Software that gets installed on your computer, usually
without your knowledge
– You can get “infected” by accessing something that is already infected
with a virus
– Sources include floppy disk,USB drives, website, and email
Worm – Software that actively tries to spread itself to infect other
computers
– Software worms can actively scan networks to infect others
– Worms can also be spread by e‐mail applications that use the
computer address book
Trojan ‐ Damaging software that hides its identity by posing as
something else such as a screen saver or a greeting card. The
Trojan, once installed, gives the attacker a back door into your system
that can be used by the hacker as needed.
42
43. SET
IT ACT PROVISIONS
Email would now be a valid and legal form of
communication in our country that can be duly produced
and approved in a court of law.
Companies shall now be able to carry out electronic
commerce using the legal infrastructure provided by the
Act.
Digital signatures have been given legal validity and
sanction in the Act.
The Act now allows Government to issue notification on
the web thus heralding e-governance
Statutory remedy in case if anyone breaks into
companies computer systems or network and causes
damages or copies data
43
44. SET
Risks and Threats
Virus Attacks
Theft, Sabotage,
High User Misuse
Knowledge of IT
Systems
Natural
Lack Of Lapse in Calamities &
Documentation Physical Fire
Systems & Security
Network Failure
44
45. SET User Responsibilities
Ensure your system is locked when you are away
Always store laptops/media in a lockable place
Ensure sensitive business information is under lock and key when
unattended
Ensure back-up of sensitive and critical information assets
Understand Compliance Issues such as
Cyber Law
IPR, Copyrights, NDA
Contractual Obligations with customer
Verify credentials, if the message is received from unknown
sender
Always switch off your computer before leaving for the day
Keep your self updated on information security aspects
45
46. SET Do’s And Don'ts
Email and messaging
read your organization’s email policy
report any spam or phishing emails to your IT team
that are not blocked or filtered
report phishing emails to the organisation they are
supposedly from
use your organization’s contacts or address book.
This helps to stop email being sent to the wrong
address.
Phishing is an attempt to obtain your personal
information (for example, account details) by
sending you an email that appears to be from a
trusted source (for example, your bank)
46
47. SET Do’s And Don'ts
Email and messaging
click on links in unsolicited emails. Be especially wary of
emails requesting or asking you to confirm any personal
information, such as passwords, bank details and so on.
turn off any email security measures that your IT team
has put in place or recommended
email sensitive information unless you know it is
encrypted. Talk to your IT team for advice.
try to bypass your organisation’s security measures to
access your email off-site (for example, forwarding email
to a personal account)
reply to chain emails.
47
48. SET
Do’s And Don'ts
Passwords
Follow OC Inc’ s password policy
use a strong password (strong passwords are
usually eight characters or more and contain upper
and lower case letters, as well as numbers)
make your password easy to remember, but hard
to guess
choose a password that is quick to type
use a mnemonic (such as a rhyme, acronym or
phrase) to help you remember your password.
Change your password(s) if you think someone
may have found out what they are.
48
49. SET Do’s And Don'ts
Passwords Don’ts
share your passwords with anyone else
write your passwords down
use your work passwords for your own personal
online accounts
save passwords in web browsers if offered to do so
use your username as a password
use names as passwords
email your password or share it in an instant
message.
49
50. SET Do’s And Don'ts
Working on-site
lock sensitive information away when left
unattended
Remember working at home is a privilege
Don’t let strangers or unauthorised people into staff
areas
position screens where they can be read from
outside the room.
50