Rothke Sia 2006


Published on

Presentation from SIA 2006 What Every Employee Needs to Know About Information Security by Ben Rothke

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Rothke Sia 2006

  1. 1. What Every Employee Needs to Know About Information Security Ben Rothke, CISSP
  2. 2. About me <ul><li>Previously with ThruPoint, Baltimore Technologies, Ernst & Young, Citibank </li></ul><ul><li>Have worked in the information technology sector since 1988 and information security since 1994 </li></ul><ul><li>Frequent writer and speaker </li></ul><ul><li>Author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill 2006) </li></ul>
  3. 3. Agenda <ul><li>This session is: </li></ul><ul><li>Overview and introduction of the most common information security risks that you need to deal with </li></ul><ul><li>Awareness introduction as a step in helping you take the necessary precautions to ensure you are can protect your computer and data. </li></ul><ul><li>This session is not: </li></ul><ul><li>Comprehensive overview of information security </li></ul><ul><li>Full awareness session </li></ul><ul><li>A monologue </li></ul><ul><ul><li>Feel free at any point today to make a correction, comment, etc. </li></ul></ul>
  4. 4. A word from the lawyers <ul><li>AXA is the world’s largest financial services company and offers a wide spectrum of financial services and perspectives. </li></ul><ul><li>The views expressed in this presentation are that of the presenter and are not necessarily the views of AXA, its directors or affiliates. Nor does AXA make any representation or accept any liability for its accuracy or completeness. </li></ul><ul><li>AXA is not liable for any losses or damages arising from the use of the content from this presentation. </li></ul>
  5. 5. The need for information security <ul><li>Protect data assets </li></ul><ul><li>Ensure the privacy, security and confidentiality of the petabytes of corporate employee and client data </li></ul><ul><li>Ensure regulatory compliance </li></ul>
  6. 6. Universal Goals of Information Security Confidentiality Integrity Authentication Interception Modification Fabrication Are my communications private? Has my communication been altered? Who am I dealing with?
  7. 7. Today’s security threats include Lost backup tapes Hackers Risk matrix Software Patches Power grid Data center Poor token management Political Malicious end-users Angry Customers Regulatory compliance Contractors Telco Poor revocation processes Terrorists Legal liability Unions External Environmental DR/BCP Internal External Unhappy customers Physical security Disgruntled employees Consultants Third-party Clients Operational Audit Lack of budget Vendor bankruptcy Software vulnerabilities Forensics Crypto keys Lack of staff Fraud Poor risk assessment Hactivists Spyware Blogs Insecure software Wireless Google No documentation Organized crime China India Illegal downloads Web-scripting Viruses Worms Malicious software Laptop stolen Phishing Identity theft DoS BlackBerry Social engineering Competition Information leakage E-mail
  8. 8. The risks are real
  9. 9. What is security awareness? <ul><li>Security awareness refers to those practices, technologies and services used to promote user awareness, user training, and user responsibility with regard to security risks, vulnerabilities, methods, and procedures related to information technology resources. </li></ul><ul><li>An initiative that sets the stage for training by changing organizational attitudes to realize the importance of information security and the adverse consequences of security failures . </li></ul>
  10. 10. Why do we need security awareness? <ul><li>We intuitively realize the need to safeguard our physical assets. </li></ul><ul><li>How to secure digital assets is not as intuitive. </li></ul><ul><li>Many people have a mindset that nothing important exists on their computer </li></ul><ul><li>There is a misconception that technology alone solve all security problems </li></ul><ul><li>Everyone needs to recognize the existence of internal threats as well as the external threats </li></ul><ul><li>Users need to change their beliefs, attitudes and behavior about using technology </li></ul>
  11. 11. Security Awareness <ul><li>Different groups within the same organization have very different needs. </li></ul><ul><ul><li>Legal, R&D, development, HR, finance, etc. </li></ul></ul><ul><li>The IT risk management group will determine what those levels are for your organization. </li></ul><ul><li>All departments share the basic need, but the levels and depth varies </li></ul><ul><li>But they all need to be aware of the risks. </li></ul>
  12. 12. Your role within information security <ul><li>You have a duty to be attentive to conditions and circumstances you observe and actions you directly take. </li></ul><ul><li>You must be diligent in your commitment to report suspicious activity. </li></ul><ul><li>You must understand company policy to become an effective team member. </li></ul>
  13. 13. Knowledge Is Power <ul><li>Learn to protect information </li></ul><ul><li>Turn off computers not in extended use </li></ul><ul><li>Utilize passwords and change regularly </li></ul><ul><li>Use shredders before discarding documents with proprietary, confidential or personal information </li></ul><ul><li>Be aware of potential telephone scams designed to solicit proprietary or personal information </li></ul><ul><li>Do not provide confidential information or access details to non-verified personnel </li></ul><ul><li>Avoid the unnecessary transmittal of confidential data via e-mail or fax. </li></ul>
  14. 14. Core Awareness Areas <ul><li>Security starts at the door and goes to the top </li></ul><ul><li>Viruses </li></ul><ul><li>Spyware/crimeware </li></ul><ul><li>email </li></ul><ul><li>Physical security </li></ul><ul><li>Laptops </li></ul><ul><li>Passwords </li></ul><ul><li>Social engineering </li></ul><ul><li>Phishing </li></ul><ul><li>Acceptable and incidental use </li></ul>
  15. 15. The most overlooked person <ul><li>The reception area should be the first line of information security defense for many companies </li></ul><ul><li>They need to add to the basic users’ skill set physical security and social engineering. </li></ul>
  16. 16. Executive level <ul><li>The Board of Directors and other Executives need to understand that they are ultimately responsible for the security of their company. </li></ul><ul><ul><li>Laptop security </li></ul></ul><ul><ul><li>Legal Issues </li></ul></ul><ul><ul><li>Regulatory </li></ul></ul>
  17. 17. Viruses <ul><li>A dangerous computer program with the characteristic feature of being able to generate copies of itself, and thereby spreading. </li></ul><ul><li>May have a destructive payload that is activated under certain conditions. </li></ul>
  18. 18. Effects of a virus <ul><li>Benign </li></ul><ul><li>annoying interruptions </li></ul><ul><ul><li>such as displaying a comical message when striking a certain letter on the keyboard </li></ul></ul><ul><li>Destructive </li></ul><ul><li>file deletion/hard drive destruction </li></ul><ul><li>system slowdown </li></ul><ul><li>complete system compromise </li></ul>
  19. 19. Spyware, but call it crimeware <ul><li>Any software that covertly gathers user information without their knowledge. </li></ul><ul><li>Often bundled as a hidden component of freeware or shareware programs. </li></ul><ul><li>Once installed, spyware monitors user activity on the Internet and transmits that information in the background to someone else. </li></ul><ul><li>Spyware can share your personal information with third parties without your knowledge or consent. </li></ul>
  20. 20. E-mail safety <ul><li>A day-to-day necessity in our business world </li></ul><ul><li>Be aware of exposure and dangers with email </li></ul><ul><ul><li>Unwanted email (spam) or abusive email </li></ul></ul><ul><ul><li>Mail attachments – computer viruses </li></ul></ul><ul><ul><li>Request for confidential information </li></ul></ul><ul><ul><li>Email forgery </li></ul></ul><ul><ul><li>Ease of misaddressing </li></ul></ul>
  21. 21. E-mail safety <ul><li>Be careful with email attachments! - They can be an open door to your computer. </li></ul><ul><ul><li>Trust but verify - Don’t hesitate to contact the sender to verify if they actually sent an attachment </li></ul></ul><ul><li>Avoid links to jokes, free downloads, etc. </li></ul><ul><ul><li>Do you really know where that link goes? </li></ul></ul><ul><li>Be aware of virus hoaxes </li></ul><ul><li>Be hesitant to submit personal data over email </li></ul>
  22. 22. Corporate email policies <ul><li>e-mail is intended to be used primarily for business communications </li></ul><ul><li>e-mail must be used responsibly </li></ul><ul><ul><li>You are accountable for the content of all text, audio or visual images originated, sent or forwarded. </li></ul></ul><ul><li>e-mails sent through the corporate messaging system are the property of the company . </li></ul><ul><ul><li>Your employer will likely use a monitoring system to capture, retain and archive all e-mail received and sent by users, regardless of whether the e-mail is deleted. </li></ul></ul><ul><ul><li>They retain the right to monitor messages and retrieve them at a later date for any purpose. </li></ul></ul><ul><li>Use an corporate domains to send and receive all business-related e-mails. </li></ul><ul><ul><li>Don’t use Hotmail, Yahoo, Gmail, etc. </li></ul></ul><ul><li>Mass interdepartmental e-mails likely need to be reviewed and approved by the Internal Communications department. </li></ul>
  23. 23. E-mail safety
  24. 24. Physical security <ul><li>Don’t assume physical security for your areas </li></ul><ul><li>Lock your office </li></ul><ul><li>Laptop computers are ideal for thieves </li></ul><ul><ul><li>About half of laptop thefts occur in offices or meeting rooms </li></ul></ul><ul><li>It looks normal to carry them, in contrast to a desktop computer </li></ul><ul><li>One can be placed inside a backpack </li></ul><ul><li>They can be sold as used computers via electronic auctions and sales channels </li></ul><ul><li>They may contain information that can be valuable to the right people </li></ul>
  25. 25. Physical security <ul><li>Keep confidential documents off your desk </li></ul><ul><li>Don’t share your access </li></ul><ul><li>Take note of strangers in your area </li></ul><ul><li>Use laptop locking devices </li></ul><ul><li>Keep a record of make, model, serial number </li></ul><ul><li>Be careful of piggybacking </li></ul><ul><li>This is when someone follows you through a locked door </li></ul><ul><li>Be careful of “bump and run” – especially in airports </li></ul>
  26. 26. Laptops <ul><li>Favorite target of thieves </li></ul><ul><li>Less likely to draw attention </li></ul><ul><li>Easily hidden </li></ul><ul><li>Turns fast at pawn shops and on eBay </li></ul><ul><li>Almost always contain confidential corporate data </li></ul>
  27. 27. Passwords <ul><li>Your password is a very important secret </li></ul><ul><ul><li>No Post-It notes </li></ul></ul><ul><ul><li>Do not share it with anyone </li></ul></ul><ul><li>Change your password whenever you think it has been compromised </li></ul><ul><li>Check out Password Safe </li></ul><ul><ul><li> </li></ul></ul>
  28. 28. Choosing effective passwords <ul><li>Effective passwords can be created by: </li></ul><ul><li>using at least one symbol or number, preferably not just one at the end. </li></ul><ul><li>using a varying combination of lower and upper case letters (i.e. IsDIMs) </li></ul><ul><li>using longer passwords </li></ul><ul><li>using two words that normally don’t go together that are separated by a punctuation mark or number. For example, ‘star6tan’ would be difficult to guess </li></ul><ul><li>using the first letters of a phrase you can remember: </li></ul>
  29. 29. Poor passwords <ul><li>Alphabetic series either forwards or backwards </li></ul><ul><ul><li>ABCDEF, FEDCBA </li></ul></ul><ul><li>Numeric series, either forwards or backwards </li></ul><ul><ul><li>123456, 654321 </li></ul></ul><ul><li>All identical letters or numbers </li></ul><ul><ul><li>AAAAAA, 111111 </li></ul></ul><ul><li>Common keyboard shortcut </li></ul><ul><ul><li>ASDFG, QWERTY, ZXCVBN, POIUY, LKJHG </li></ul></ul><ul><li>Easily guessed </li></ul><ul><ul><li>userid, PID, or any variation thereof (backwards, changing case, etc.) </li></ul></ul><ul><li>Word/s referring to anything noticeable about you </li></ul><ul><ul><li>Spouse’s name, child, pet, favorite team, or literary character </li></ul></ul><ul><li>Word that appears in a dictionary </li></ul>
  30. 30. Social engineering <ul><li>Social engineering – hacking people </li></ul><ul><ul><li>When an attacker attempts to pose as someone else to gain unauthorized access to your computer. </li></ul></ul><ul><li>When one is deceived or conned into divulging information that would not be shared – under normal circumstances </li></ul><ul><li>Attacker is often a smooth-talker that tries to gain your confidence by possibly posing as someone from IT to get you to reveal your passwords or personal information. </li></ul><ul><li>May be attempting to gain unauthorized access, unauthorized use, or unauthorized disclosure of an information system, network or data. </li></ul><ul><li>May be trying to modify the system configuration. </li></ul>
  31. 31. Social engineering <ul><li>The intruder may do this in person, by email, or over the phone. </li></ul><ul><li>Beware of what you throw in the trash; intruders often participate in dumpster-diving by digging or scavenging in the trash area for useful information. Shred important information. </li></ul><ul><li>The intruder may try to prey on unsuspecting help desks or support areas, or receptionist/administrative areas by pretending to be a user needing assistance to gain unauthorized accesses. </li></ul><ul><li>The hacker uses the information gathered from social engineering to launch his attack. </li></ul>
  32. 32. Phishing <ul><li>Phishing is a computer scam that uses SPAM, IM and pop-up messages to trick you into disclosing private information (social security number, credit card, banking data, passwords, etc) </li></ul><ul><ul><li>Often sent from someone that you trust or are in some way associated with us </li></ul></ul><ul><ul><li>Appears to be a legitimate website </li></ul></ul><ul><ul><li>Embedded in links emails and pop-up message </li></ul></ul><ul><ul><li>Phishing emails often contain spyware designed to give remote control to our computer or track our online activities </li></ul></ul>
  33. 33. Phishing
  34. 34. Phishing
  35. 35. Phishing
  36. 36. Acceptable Use <ul><li>Most companies allow incidental use of phones, computers, messaging and the Internet. </li></ul><ul><li>The following sites might be acceptable: </li></ul><ul><ul><li>,,, </li></ul></ul><ul><li>Don’t ever visit offensive non-business sites </li></ul><ul><ul><li>Racist, pornography, violent, gambling, hate, etc. </li></ul></ul><ul><li>Your activities will likely be logged </li></ul><ul><li>Know what is acceptable and follow the rules </li></ul><ul><li>Realize the companies have and will fire employees for violating acceptable use policies </li></ul>
  37. 37. Incidental use <ul><li>Incidental personal use of corporate IT resources is allowed if, </li></ul><ul><ul><li>It does not consume more than an insignificant amount of resources that could otherwise be used for business purposes </li></ul></ul><ul><ul><li>It does not interfere with employee productivity </li></ul></ul><ul><ul><li>It does not prevent any business activity </li></ul></ul>
  38. 38. Conclusions
  39. 39. Keep things in context <ul><li>Don’t be overwhelmed by your newfound information security responsibilities </li></ul><ul><ul><li>Your have a corporate information security staff that can help </li></ul></ul><ul><li>Computer security will eventually feel like second nature </li></ul><ul><li>Effective security is not being paranoid </li></ul><ul><ul><li>It is about acting intelligently and diligently in reference to data protection </li></ul></ul>
  40. 40. Keep things in context <ul><li>The best way to ensure effective information security is to follow common sense combined with a healthy dose of skepticism. </li></ul><ul><ul><li>Don’t automatically believe that every email you receive is authentic or that the person on the other end of the phone is who they claim to be </li></ul></ul><ul><li>Be pragmatic and cautious in matters of computer and information security. </li></ul><ul><ul><li>Do that and you will be fine. </li></ul></ul>
  41. 41. Ben Rothke CISSP, CISM