Published on

• Common Threats and vulnerabilities

Types and examples of information security threats: Unauthorized Access, Cyber Espionage, Malware, Data Leakage, Mobile Device Attack, Social Engineering, Insiders, Phishing, System Compromise, Spam, Denial of Service, Identity Theft.

• Planning and building of awareness program
How to plan information security awareness program taking to note cultural differences, available resources and objectives

By Vasil Tsvimitidze

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Georgia NATOBUILDING AWARENESS AND AWARENESS PROGRAM Turkey, Ankara 2012 Vasil Tsvimitidze
  2. 2. Common Threats and vulnerabilities 2Common Threats and vulnerabilitiesTypes and examples of information security threatsPlanning and building of awareness programMain principles tool and techniques for awareness rising.How to plan information securityawareness program taking to note cultural differences, available resources and objectives.Hands on development specific awareness program, depending on Georgian practice. Definingawareness program and identify priorities. Identification of success assessment metrics.Development or localization materials for government organizations, business companies andcitizens.
  3. 3. Common Threats and vulnerabilities 3There are many information security threats that we need to be constantly aware of and protectagainst in order to ensure our sensitive information remains secure. This article details 12different information security threats that are commonly found, together with somepreventative measures that can be taken.This article is just one of the many materials that form part of the ’Highway of Threats’awareness campaign. See the Campaigns section of the site for more details on this. Unauthorized Access, Cyber Espionage, Malware, Data Leakage, Mobile Device Attack, Social Engineering, Insiders, Phishing, System Compromise, Spam Denial of Service Identity Theft.
  4. 4. Common Threats and vulnerabilities 4 Unauthorized Access – Enter at your own riskThe attempted or successful access of information or systems, withoutpermission or rights to do so.- Ensure you have a properly configured firewall, up to date malwareprevention software and all software has the latest security updates.- Protect all sensitive information, utilizing encryption whereappropriate, and use strong passwords that are changed regularly.Cyber Espionage – Hey, get off my network!The act of spying through the use of computers, involving the covertaccess or ‘hacking’ of company or government networks to obtainsensitive information.- Be alert for social engineering attempts and verify all requests forsensitive information.- Ensure software has the latest security updates, your network is secureand monitor for unusual network behavior.
  5. 5. Common Threats and vulnerabilities 5 Malware – You installed what?!A collective term for malicious software, such as viruses, worms andtrojans; designed to infiltrate systems and information forcriminal, commercial or destructive purposes.- Ensure you have a properly configured firewall, up to date malwareprevention and all software has the latest security updates.- Do not click links or open attachments in emails from unknownsenders, visit un-trusted websites or install dubious software.Data Leakage – I seek what you leakThe intentional or accidental loss, theft or exposure of sensitive companyor personal information.- Ensure all sensitive information stored on removable storagemedia, mobile devices or laptops is encrypted- Be mindful of what you post online, check email recipients beforepressing send, and never email sensitive company information topersonal email accounts.
  6. 6. Common Threats and vulnerabilities 6 Mobile Device Attack – Lost, but not forgottenThe malicious attack on, or unauthorized access of, mobile devices andthe information stored or processed by them; performed wirelessly orthrough physical possession.- Keep devices with you at all times, encrypt all sensitive data andremovable storage media, and use strong passwords.- Avoid connecting to insecure, un-trusted public wireless networks andensure Bluetooth is in ‘undiscoverable’ mode.Social Engineering – Go find some other mugTricking and manipulating others by phone, email, online or in-person, into divulging sensitive information, in order to access companyinformation or systems.- Verify all requests for sensitive information, no matter how legitimatethey may seem, and never share your passwords with anyone – not eventhe helpdesk.- Never part with sensitive information if in doubt, and report suspectedsocial engineering attempts immediately.
  7. 7. Common Threats and vulnerabilities 7 Insiders – I see bad peopleAn employee or worker with malicious intent to steal sensitive companyinformation, commit fraud or cause damage to company systems orinformation.- Ensure access to sensitive information is restricted to only those thatneed it and revoke access when no longer required.- Report all suspicious activity or workers immediately.Phishing – Think before you linkA form of social engineering, involving the sending of legitimate lookingemails aimed at fraudulently extracting sensitive information fromrecipients, usually to gain access to systems or for identity theft.- Look out for emails containing unexpected or unsolicited requests forsensitive information, or contextually relevant emails from unknownsenders.- Never click on suspicious looking links within emails, and report allsuspected phishing attempts immediately.
  8. 8. Common Threats and vulnerabilities 8 System Compromise – Only the strong surviveA system that has been attacked and taken over by malicious individualsor ‘hackers’, usually through the exploitation of one or morevulnerabilities, and then often used for attacking other systems.- Plug vulnerable holes by ensuring software has the latest securityupdates and any internally developed software is adequately securityreviewed.- Ensure systems are hardened and configured securely, and regularlyscan them for vulnerabilities.Spam – Email someone elseUnsolicited email sent in bulk to many individuals, usually for commercialgain, but increasingly for spreading malware.- Only give your email to those you trust and never post your addressonline for others to view.- Use a spam filter and never reply to spam emails or click links withinthem.
  9. 9. Common Threats and vulnerabilities 9 Denial of Service – Are you still there?An intentional or unintentional attack on a system and the informationstored on it, rendering the system unavailable and inaccessible toauthorized users.- Securely configure and harden all networks and network equipmentagainst known DoS attacks.- Monitor networks through log reviews and the use of intrusiondetection or prevention systems.Identity Theft – You will never be meThe theft of an unknowing individual’s personal information, in order tofraudulently assume that individual’s identity to commit a crime, usuallyfor financial gain.- Never provide personal information to un-trusted individuals orwebsites.- Ensure personal information is protected when stored and securelydisposed of when no longer needed.
  10. 10. Principles of awareness 10Main principles tool and techniques forawareness rising.Principles of awareness Source of threats are people Mission of threats are people Successful awareness program is combination of Technologies and Capabilities Skillful motivated people are key It’s the combination ofMarketing + Information Technologies sciences + Public relationship + risk management And creativity
  11. 11. Risk management 11 Vulnerability Threat Risk Probability ImpactPriority Threat Vulnerability Probability Impact Risk R_ID
  12. 12. Gergian Example 12 Segmentation  Government organizations  Critical infrastructure  Citizens (gender, age, education etc.) Communication Channels  Internet  Conferences  TV  Printing media  Meeting and presentations Awareness Activity Material development Results assessmentR_ID Segment Channel Activity Material result Phase
  13. 13. Thank YouQuestions…