National Life IT Department's Cyber Security Awareness Presentation
68805 MK10680(1011) TC64945(1011)
National Life Group is a trade name of National Life Insurance Company and its affiliates. For internal use only. Not for use with the public
t be the weak link!
Cyber Security Awareness
About Cyber Security Awareness Month
National Cyber Security Awareness Month (NCSAM) began
in October of 2004. It was founded and promoted by the
Department of Homeland Security (DHS), the National Cyber
Security Alliance (NCSA), and the Multi-State Information
Sharing and Analysis Center (MS-ISAC) as a means to
promote education and awareness about the ever increasing
number of online security threats that lurk amongst us.
For more information on NCSAM, visit:
For the last several years, National Life Group has put on a
Cyber Security Awareness Fair during the month of October
in an effort to raise the awareness level of our employees
on online threats and countermeasures. NLGroup’s vision
statement is To Bring Peace of Mind to Everyone We Touch.
One of the things that we, as employees, can do to commit to
this vision is to foster a strong, responsible, security-centric
culture in regards to our computer-based infrastructure.
Due to the sensitive nature of much of the data we work
with, a computer security related incident at NLGroup could
be especially devastating. Therefore, everyone should make
it their responsibility to do everything in their power to help
keep our systems secure.
NLGroup Cyber Security Awareness Fair 2011
The security of a computer network can only be as strong as
its weakest link, which can sometimes turn out to be its users.
You can engineer your network out of all of the best hardware
and software on the market, and implement the most cutting
edge security protocols around, but all it may take is one user
opening the wrong attachment to send it crumbling down.
This year’s theme for our security awareness fair is: “Don’t be
the Weak Link”. This theme is meant to emphasize the fact
that one of the most vulnerable parts of any network is the
user with a low level of security awareness.
This document will summarize several common
attacks that target the users on a network and tips
on how to avoid them.
Not all of the threats out there are high-tech, and in fact
social engineering has been around long before computers.
Social engineering covers a fairly wide area of incidents, but
at a basic level it involves using certain techniques while
interacting with someone to gather information or achieve
some other desired result. These techniques could include
all manner of trickery, such as impersonating an authority
figure, blackmail, extortion, bribery, or just lying convincingly.
Someone could even gain employment with the company
and gain the trust of his peers over time! The desired
result might be access into a building or secure area, your
login credentials, or personal information. With this new
information, the criminal can now do all kinds of unsavory
things. These types of incidents can be hard to detect, as the
perpetrator will most likely have done some research ahead of
time to put on a convincing show, whether it is in person, on
the phone, or via email.
Consider this scenario:
You receive a phone call at work from a man who introduces
himself as “Jim Brown, down here in IT...”. He knows your
name, and informs you that he is about to install some
firmware on your computer remotely, and that you are going to
have to turn off your machine for ten minutes while he applies
the changes. He goes on to say that unfortunately, the update
process reverts your password back to the default password
scheme, but if you would like you could give him your current
password and user id and he would change it back for you so
you didn’t have to put in a ticket with system security.
This phone call would likely seem convincing at face value: the
caller knew your name, identified himself, and had a very clear
purpose for calling. He also spoke casually, and knew the lingo.
If you didn’t know many people in the IT team, it would be fairly
easy to be taken in. The only real tip off is the fact that he asked
for your login credentials so that he could do you a “favor” and
reset your password for you. Many unaware people may give
“Jim” their login credentials, and then turn off their computer
for ten minutes while he did whatever he wanted to on their
account. Imagine trying to explain to your manager why large
volumes of sensitive information were emailed to an outside
email address from your company email account!
The next page includes tips on how to prevent social
engineering from being effective.
Each of the threats in this document
(and many more!) involves some
element of social engineering.
The following tips can help prevent social
engineering from being effective:
• NEVER give out personal information or login credentials
belonging to you or anyone else to someone you do not
know. Verify the legitimacy of such requests (in this case
by contacting IT) before releasing any information.
• Ask questions such as why they need the information,
who they report to, etc. Even well researched and practiced
impersonators can show cracks in their story when pressed.
• Do not allow anyone you do not know personally, or those
that do not have the appropriate authorization, to follow
you into the building or a secure area.
• Report suspicious personnel loitering near your
• Report any suspicious phone calls or emails to
management and system security.
Frank William Abagnale Jr. was a
successful impersonator and was able to
masquerade as a commercial pilot, doctor, lawyer,
and teacher in various work environments. Talk about
social engineering! Abagnale was portrayed by Leonardo
DiCaprio in the 2002 movie Catch Me If You Can.
(Source: Computer Security Handbook, 5th Ed. Vol 1)
Phishing and Spear-Phishing
Phishing is a specific type of attack that uses fraudulent
emails to trick people into giving out confidential information.
One of the most popular methods used involves sending out
bulk email to numerous email addresses, masquerading as an
urgent security alert from a popular bank or website such as
Bank of America, PayPal, or Facebook. These emails notify the
recipient that the website’s security has been compromised,
and that it is imperative that the user follow a link to a site to
update their security information. The provided link will lead
to a convincing webpage that will include a form asking for
personal information, passwords, IDs, and sometimes bank
account or credit card numbers to verify their identity. Once
the information is verified, the user is usually redirected to
the real webpage, completing the illusion of legitimacy. The
hapless user is now at the mercy of the people executing
the attack. This technique could even be used for the user’s
workplace login information, which would mean their
employer would also be at risk.
Spear-phishing is a more direct version of phishing. This time,
the email will appear to come from a friend, family member,
or manager. It may even contain personal references, inside
jokes, confidential information, or company signatures
gleaned from social engineering campaigns that will
make it appear legitimate. These emails will
specifically target the recipient, and the
desired result will likely be to get a
very specific set of information
from the user.
Phishing IQ Test:
If you would like to test how good you
are at detecting phishers, please take this online test.
Go to: http://www.sonicwall.com/furl/phishing/
The test will serve up actual e-mail that claims to come from
large companies; your job is to decide which are real and
which are phishing expeditions.
The next page includes tips on to help protect yourself from
59 million phishing e-mails
are sent each day.
The following tips will help protect yourself
and NLGroup from becoming the victims of
a phishing or spear-phishing attack:
Don’t respond to emails requesting you confirm your user-ID
and password or other credentials, account numbers etc.
Don’t respond to unsolicited emails: If you don’t know the
sender, don’t respond. If they are offering a product or
service, remember the old adage “If it looks too good to be
true, it probably is.”
Don’t click on links in emails: Link names do not necessarily
reflect where they link to. A link that says www.google.com
can take you to any website. A better practice is to type the
address manually into your web browser.
Verify transmission of sensitive info with the sender: If you
receive an email requesting sensitive information, it never
hurts to verify the request by calling the company or individual
sending the email. Make sure you use a phone number from a
secondary source, not the one provided in the email.
Read emails carefully: Pay attention to the content of an
email. If an email is supposed to be an official announcement
or request, it should raise some suspicion if it is rife with
errors or doesn’t flow in a logical manner. If an email from a
coworker isn’t consistent with their normal writing style, take
a closer look at it.
Look into installing add-ons for your browser at home: Many
browsers offer add-ons that can help protect you while online.
This will not be necessary for your corporate issued computer.
Pay attention to alerts from IT, and utilize available resources:
If you receive an alert about a scam, don’t ignore it. There are
also resources online, such as the FBI website, where you can
find more information about online scams and attacks.
PayPal and eBay are the two
most commonly used names
in phishing emails.
Scareware and Ransomware
Scareware and ransomware are classified as a type of malware
called trojans. A trojan is a program that appears to have a
legitimate and safe function, but ends up having a darker
purpose. Scareware masquerades as an antivirus, anti-
malware, or firewall program. Once installed, it will usually
wait awhile before showing its true colors. All of a sudden,
a pop-up alert will appear that says that this program has
detected some kind of virus or maybe a whole slew of them
(that probably don’t exist), but unfortunately can not remove
them unless the user registers the program. This usually
involves a monetary transaction. After that, the warnings
may or may not disappear and the program may go inactive.
At that point it is already too late, as the damage is done:
you have not only lost money in the deal, but confidential
information as well if you filled out any kind of registration
form. A common example of this type of malware is “Antivirus
20XX” (the year changes to remain current). This program
masquerades as the Windows Security Center, which it
disables. It then follows the previously mentioned model.
There was also a similar program called “MacDefender” that
circulated earlier this year targeting Apple computers.
Ransomware is similar to scareware, except instead of trying
to scare the user into registering a fake product, it uses
extortion as a tactic instead. Usually, these are targeted at
corporations rather than individual users. Once installed, the
program will encrypt some amount of data on the target’s
system. In order to get the encryption key and regain utility
of the data, the victim will have to pay money to the attacker.
This attack can be very effective, because without the use of their
data, some corporations can lose a significant amount of money
in a few hours. This being the case, many corporations will pay
the fee rather than contact the authorities, as the resulting delay
will likely mean a larger sum of money being lost.
The next page includes tips on how to avoid malware.
One international scareware ring
investigated in June, 2011 by the FBI and a
multi-national task force infected more than 1
million victims and cost over $74 million!
Here are a few tips for avoiding this type of malware:
• Review any software before download. If you can find
several credible reviews that back up the legitimacy of the
software, it will most likely be safe.
• If infected, don’t buy into their scare tactics. Instead,
seek assistance in removing the program, as they can
sometimes be tricky to remove safely.
• Any suspicious software or processes on your work
computer should be reported immediately to your manager
and system security.
• Purchase and install a reputable antivirus. The benefits of
this action will extend far beyond the threat of scareware.
• Do not install programs at work. Your work computer
already has antivirus protection. If you need a specific
program, put in a request with the Helpdesk.
A ransomware program infected
around 2500 users during a 5 week period
in December 2010 - January 2011, earning the
perpetrators over $30,000! The program required
the user to send a text message to a premium service
in order to unlock their computer.
Malicious Code Distributed via Email
By now, everyone is intimately familiar with junk email
sent in bulk, AKA Spam. Most of the time, these unwanted
emails are an annoyance, advertising products or services
unsolicited by the recipient. Spam can also be used for more
nefarious purposes, such as distributing viruses and other
malware. Malicious code can be hidden in flash videos,
PDF documents, and also in MS Word or Excel documents.
Sometimes, it will be embedded content directly in the
email, instead of in an attached file. This type is extremely
dangerous, as just opening the email could infect your
computer. Usually, emails that contain malicious code, either
attached or embedded, will have an attention grabbing header
such as “LOL... Funniest Joke Ever!”, or “You’ve Gotta See
This Video!!!”. They can also have headers that seem more
personal or important, such as “Here is the document that
you requested...”. The malware that is distributed in this
way can take many different forms, none of them good.
Many will self replicate by hijacking your email account and
sending itself out to all of your contacts, which can be more
dangerous as now the “Worlds Funniest Video!!!” is coming
from a trusted contact. It should also be noted that this type
of distribution can be combined with phishing and spear-
phishing attacks for added mayhem.
This type of threat can be mitigated by a few simple things:
• Don’t open unsolicited emails like Spam. This guidance
also goes for emails coming from contacts that don’t
normally send those types of emails.
• Disable the email viewer in your email program or webmail.
This is the window that displays the contents of the email
as you scroll through your inbox. Embedded malicious code
will run if you accidentally click on the email and it opens in
• Don’t open attachments, unless it is something specific
that you have been expecting from a contact.
• Script blocking add-ons are available for many browsers
that can help prevent embedded code from running when
reading an email.
• Keep your software up to date. Malicious code will often
exploit flaws in software, such as Adobe Reader or Flash
Player, so keeping your software up to date can help keep
Heidi Klum was recently ranked #1
by McAfee on its list of dangerous online celebrities,
as many spammers and malicious websites have used
her name recognition to dupe users.
National Cyber Security Alliance and National Cyber Security Awareness Month
Antivirus and Anti-Malware
Phishing and Site Verification
The first MS Word macro-virus, “Concept”, was
launched in 1995. It spread via an infected Word
document attached to email and was one of the most
common virus occurrences on the internet for over a
t be the weak link!
National Life Home Office: One National Life Drive, Montpelier, Vermont 05604
Telephone: 888-279-3990 • www.nationallife.com
National Life Group®
is a trade name of National Life Insurance Company and its affiliates. Each company of the National Life Group
is solely responsible for its own financial condition and contractual obligations.