Allow opening segment to play through and Protect IT message to play.Introduce yourself and let the group know that this is going to be informative and fun.(go to next slide)
Today we are going to talk about security awareness.By the end of this workshop you should each know what we mean by security awareness.You will understand what your responsibilities are as a Business employee.You will be familiar with many of the security issues or situations that you may face during your career here.And most importantly, you will know how to prevent situations or how to handle them if they do occur.Let's get started.(go to next screen)
Let's begin by explaining what we mean by the term 'security awareness'. Security awareness is the advantage of knowing what types of security issues and incidents our staff may face in the day to day routine of their corporate function.It is knowing what to do if you feel someone is attempting to:(click)- wrongfully take Business property or information (ask for possible examples) (stealing a computer)(click)- obtain personal information about our staff, clients, or vendors (ask for possible examples) (selling staff lists)(click)- utilize our information resources for illegal or unethical purposes (ask for possible examples) (surfing inappropriate web sites at work)(click)We will discuss these situations and many others and how to prevent them from occurring at Business.(go to next screen)
Let's talk about your responsibility when you work at Business.As an employee or contractor of the Business Corporation, it is your responsibility to help in the protection and proper use of our information and technology assets.We are counting on you.(go to next screen)
Obviously President Clinton needs to re-think his password strategy! Not only did he choose a weak password but he let other people see him enter it. This did not set a good example.One of the more important ways you can help with security awareness in our organization is by being a good example to others.Be a security ambassador by setting a good example.(go to next screen)
What exactly are \"Information and Technology Assets\"?Anything that we use to input, process, store, output or communicate information.(click)This includes items such as computers, fax machines, telephones, paper files, etc.(pause for screen to fill) (go to next screen)
Here are some of the common areas where you may encounter security issues or decisions.All of these have the potential to work their way into how we function as individuals or as an organization.Learning about these issues will provide you with the tool to combat them.... that tool is knowledge.So let's get started with our first topic...(go to next screen)
Your password is an important line of defense against unauthorized access to our information.They are often targeted because statistically, more than half of typical users have a weak password.Once logged in with your ID and password, that person has the same access to all the information that you do.Let's talk about ways to strengthen this line of defense.(go to next screen)
One of the best ways to start is by knowing the characteristics of a weak password.Names are one of the worst passwords you can use (optional humor) unless it's your fourth cousin once removed and their name is X98pf2u6sN. That would not be a bad password.(click)Personal information is a poor choice.(click)Words that are in the dictionary, no matter how complex, are also weak passwords.(click)and, numbers by themselves are terrible passwords.(pause) (go to next screen)
Now that we know the rules, let's have some fun applying them to make some strong yet creative and easy-to-remember passwords.The Vanity Plate method combines letters and numbers that make up words or parts of words in a phrase.(click)- Too late again, notice how the 'L' and the '8' make up the word 'late'.(click)- Music is for me, the word music is misspelled and the number 4 replaced the word 'for'(click)- Day after today, the word 'after' is slightly misspelled but still reads almost the same. Also,notice that upper and lower case letters are used in all three of these examples(go on to next slide)
Compound words that we see and use everyday can be converted to a practical password with a little manipulation.Start with a compound word like tunafish or sunshine and give it a little twist.(click)- Deadbolt(click)- Blackboard(click)- Seashore(go to next screen)
Phrases can lead to some pretty interesting passwords.Take the first letter of each word in a phrase. Make some upper case and some lower case and throw a number in somewhere. Like this...- Jack and Jill went up the hill to fetch a pail of water(go to next screen)
Protecting your password is just as important as creating a strong one.Even the best password is worthless if people other than you know it.They would have the same access as you, and it would look like you did whatever they did. If you ever suspect your password has been compromised, please change your password and contact the appropriate person immediately.(go to next screen)
Let's look at how we can protect our password...- Do not share your password with anyone(click)- Do not write down your password or store it in a computer file (may need to explain that some people keep all their passwords in a word processing or similar file)(click)- If anyone ever calls and asks you for a password, report it immediately(click)- When receiving technical assistance, enter your password yourself. If for some reason you have to give it to the tech staff, change it as soon as your problem is solved. This protects you and them.(go to next screen)
All computers,whether a notebook or a desktop, will benefit when the following easy steps are practiced.(click)- use a password-protected screen saver- configure a power-on password if available or permitted- always log out of host systems when you are finished - physically secure your computer with a locking cable or other security device.(go to next screen)
Computer thieves know the typical business traveler's routines. They know when and where you are vulnerable and they will be waiting for just these moments.Take a look at this list of common points of vulnerability.(pause)Let's talk about some of the specific situations.(go to next screen)
Never leave you computer bag unattendedIf you can't hold it securely while waiting for your plane or using a public phone, stand with one foot through the strap.(go to next screen)
Never check your computer as baggage.It may not be in the same condition when you get it back, or worse... you may not get it back at all.(go to next screen)
Make sure that the pathway through the metal detector is clear before you place your computer on the x-ray conveyor.A common technique for thieves is to stall you at the metal detector while an accomplice grabs your laptop on the other side.(go to next screen)
It is a common practice for computer thieves to frequent the local public transportation systems.Always hang on to your computer and avoid a decoy situation where one person will ask you for directions or assistance while a second makes off with your computer.Try to stay aware at all times.(go to next screen)
If you are staying in a hotel, carry your own computer to your room. In one real life case, a number of meeting attendees of a major U.S. company gave their computers and luggage to what they thought were bellmen. They never saw their computers again and their important meeting had to be delayed for weeks.(click)When leaving your hotel room for dinner or other activities, secure your laptop to an immobile fixture or large, heavy furniture.(click)Keep your hotel room door locked while you are in the room. Not only will this help keep your PC and belongings safe but it will help keep you safe as well.(go to next screen)
While any backup is better than not having one, there are a few easy things to remember that will help to ensure that you'll be able to recover data if necessary.(click)- perform a full backup. This will backup everything on your system.(click)- do not overwrite your most recent backup tape or other media(click)- whenever possible keep at least three cycled backups to prevent over writing a previous copy or in case your backup media goes bad. (click)- Frequency of backups should be appropriate for the importance of the data on your computer. You should make a backup of your data whenever the amount of data that is new since your last backup is more than you are willing to re-create.(go to next screen)
It is important that we protect our organization's information.Why? Let's take a look at some reasons...(click)- maintain customer confidence (prompt discussion of what this means and how this could be affected by a loss of information)(click)- maintain public image (prompt discussion of what this means and how this could be affected by a loss of information)(click)- remain competitive (prompt discussion of how we could lose in competitive situations if the wrong information were made public)(click)- protect ourselves and other employees (prompt discussion on how much personal information the organization has in its systems and also how well each of us knows some of our coworkers and their families)(go to next screen)
Confidential data can be accidentally disclosed in many different ways. These tips will help keep our information from falling into the wrong hands.(click)Don’t leave confidential documents unattended on the copier or fax machine.(click)Shred any confidential documents when discarding them.(click)Avoid e-mailing highly confidential documents through the Internet unless using encryption. Otherwise, consider using a courier.(click)Keep a “clean desk” by securing important files and items when leaving.(click)Remove papers and wipe boards clean when finished using conference rooms.(go to next slide)
Let's take a look at some of our typical situations.If you know you will be working late, park in a well lit area.(click)also, when you leave late at night, try to exit with other coworkers.(click)When entering the building or secure areas, do not let a stranger 'tailgate' in behind you. This means, unless you know the person or have seen him working here frequently, ask whom he is visiting and offer assistance.(click)Do not prop open doors to secure areas. This defeats the purpose of putting a lock on the door in the first place.(go to next screen)
(optional humor - start with...Despite what some of you might think,)Social engineering does not have anything to do with robots or cloning.A social engineer is a person that will deceive or con others into divulging information that they wouldn't normally share.(go to next screen)
(ask attendees)Can you spot an information thief in this group?(pause for a few seconds)(go to next slide)
Defending against a social engineering attempt is not easy. In fact, you usually won't know when it occurs until it is too late, if you ever realize it occurred at all.Let's take a look at what we can do....(click)If you receive a phone call from an unknown person asking for information that you're not sure should be shared...don't be afraid to ask some questions.(click)- Ask for the correct spelling of his name. If a false name was used, this may catch him off guard. (click)- Ask for a number where you can return the call. This will provide a traceable reference point.(click)- ask what the information will be used for. (click)- ask who has authorized this request and tell the caller that you will have to verify the approval before releasing the information. Be sure to follow-up and verify with the person referenced.(go to next screen)
If someone attempts this in person there are also some things that you can do.(click)- ask for some identification. If it is a legitimate request for the information he will be impressed at your due diligence.(click)- ask who has authorized this request and let the person know that you will have to verify the approval before releasing the information. Be sure to follow-up and verify with the party referenced.(click)- if you are not authorized to provide that information, offer to help locate the correct person.(click)- always seek assistance if you are unsure of the situation(go to next screen)
Remember the case we mentioned a while ago where female employees sued for receiving inappropriate e-mail from coworkers?That situation should have never happened.Those types of messages are unacceptable and a threat to the level of comfort you should expect in our work place.(go to next screen)
Spam is basically unsolicited and usually unwanted e-mail that you may receive. It is usually a form of advertisement for anything from get-rich-quick schemes to pornography sites on the internet.Just delete it. If it is a really persistent problem contact our technology group to block the originating address and notify the originating ISP.(go to next screen)
E-mail chain letters and hoaxes can affect an e-mail system and slow its performance if not curtailed quickly.These messages usually ask the receiver to forward it on to others. If you forward a message to ten people and they each do the same, and this cycle continues ten times, this would result in 10,000,000,000 (billion) messages.Most e-mail chain letters and hoaxes are nothing more than modern urban legends.Let's look at some examples...(go to next screen)
Read slide(go on to next screen)
So what do you do when you receive a chain letter or hoax? First, use sound judgement. If you're not immediately sure it is a hoax, examine it for clues. References to verifiable sources, ridiculous claims of riches, etc.If it seems to be a hoax just delete it. If you receive these types of message from coworkers, you might want to inform them of the harm they can cause to our organization.(go to next slide)
There is another very good reason to be careful where you go on the Internet. Anywhere you go and anything you do can usually be traced back to our network and ultimately to you.We could experience very negative publicity if a controversial site were able to publicly prove that one or more of our employees had surfed their web site from our network.(go to next slide)
If you sign-up or register with Internet sites or services external to our organization, it is important that you use an ID and password that is different from the one you use on our systems.This will prevent unscrupulous web site operators or their staff from being able to log into our systems.(go to next slide)
Here are some staggering statistics:- There are more than 50,000 viruses in existence.(click)- There are as many as 250 new ones being discovered each month.(click)- A wide-spread virus incident can easily cause in excess of $100,000 in damages to a single organization. (click)- Virus attacks cost over $15 billion in 2000.(click)- Research shows that computer viruses are getting more malicious in nature.Also, while most people realize that a virus can be responsible for data loss, what they often overlook is the potential for loss of customer confidence, loss of productivity, missed deadlines, increased stress, and other costs - both direct and indirect.(go to next slide)
Why do computer viruses spread so easily? Because many people do not take basic precautions. Here are the most common methods by which a system becomes infected with a computer virus.(click)- Files downloaded from the Internet. If you download programs from the Internet, make sure you know the source and follow the tips we will explain in a couple of minutes.(click)- E-mail messages and attachments. Some of the more creative and modern viruses are spread through the means of e-mail and attachments.(click)- Files shared from others or brought in from home computers. Many people do not utilize the same level of virus protection on their home machines as in the workplace.(click)- Shrink-wrapped commercial software. Yes, this just proves that absolutely no one is guaranteed to be safe from viruses. Not even software companies are immune.(go to next slide)
Viruses can definitely be a problem but defending against them depends on you incorporating some simple steps into your regular routine.(click)- Always use anti-virus software on your computer. Do not disable your anti-virus software. (click)- Keep your anti-virus software current. This is very important due to the amount of new viruses discovered each month. (click)- Scan all files downloaded from the Internet. (click)- Scan all e-mail attachments, even if you know the sender. They may not know that they have a virus. (click)- Scan diskettes and CDs before using them. Remember, even brand new packaged software has been known to contain viruses. (click)- Use anti-virus software on your home computer. (click)- If your computer ever does experience a virus attack, or your software detects a virus, do not panic. Most popular anti-virus packages can disinfect the majority of viruses in existence. Report the incident to the appropriate person as soon as possible.(go to next screen)
Freeware, it's pretty self-explanatory. It's free. The author has provided it, usually as-is and without guarantees, at no cost to the user. You are allowed to use it, copy it, and share it with others. Restrictions may be placed on activities that involve altering the software or using it as a component of other software.(click)Shareware is a little different. It is usually provided free of charge for either a trial time period or in a version that is limited in functionality. To receive a full or unlimited version you need to register the software at a modest cost.(go to next screen)
Commercial software is what is most prevalent in the corporate environment. It is usually a higher quality of software and may provide some type of warranty as to its usefulness. Commercial software may be licensed in many different ways.One installation per purchased copy (a retail license); A negotiated number of installations (a corporate license); orBy a site or enterprise license that allows installation on all computers within an organization.(go to next slide)
At the Business Corporation, we want you to abide by the rules and laws that govern the use of software. These words of advice will help you to do so.- Only obtain software through our approved methods.(click)- Install software in accordance with its license.(click)- Don't share software with others.(click)- Maintain receipts for purchased software.(click)- Do not install software from your home computer onto your work computer.(go to next screen)
Software is not the only area of protected material of which you need to be aware. Printed materials and web content are usually protected by copyright law. Be sure to credit the original author or other designated source when quoting directly from their work.(go to next slide)
The Internet can facilitate the violation of copyright laws because it is so easy to cut and paste and transmit information. Often, because web sites place their copyright notices on obscure pages within the site, a visitor does not know they are infringing on protected material.Always be sure to carefully check the source of any information you may want to use elsewhere.(go to next slide)
(click)- We need to protect Business IT assets.- Every employee must be aware of, understand and commit to act on any security situation quickly, appropriately and knowledgably- IT Security is everyone’s business- Areas taken up(go to the next slide)
Let's take a look at those quiz questions again and see how many answers we can get right on the second time around.We'll take a comparison poll and see how many of you improved your awareness today.
IT Security Awareness
HAFEEZ UR REHMAN
This workshop is designed to educate
Business staff on the following:
• What is IT security awareness?
• Your responsibilities as IT user
• Security issues you may face
• What should you do?
What is Security Awareness?
Security awareness is the advantage of knowing what types of
security issues and incidents employees of Business may face
in the day-to-day routine of their corporate function.
It is knowing what to do if you feel someone is attempting to:
• wrongfully take Business property or information
• obtain personal information about staff, clients or vendors
• utilize our resources for illegal or unethical purposes
There are many other security issues of which you need to be
aware. We will discuss them in detail.
What is Expected of You?
As an employee or contractor of Business, it is your
responsibility to help in the protection and proper use of our
information and technology assets.
We are counting on you!
Real Life Example
The former President of the United States, Bill Clinton,
signed into law a bill which authorizes and acknowledges
electronic signatures on legal documents.
As an example, the President also signed the bill
electronically utilizing a ‘smart card’ and his password.
People world-wide watched as he entered the name of his
dog “Buddy” as his password.
(In memory of Buddy, who died in January 2002)
What Are “Information and Technology Assets”?
This term loosely describes the wide range of information
sources that our organization uses and the equipment that
we use to access, process, and store this information.
E-mail Paper files
… and more
Security Topics We Will Address
• Password construction • Data confidentiality
• Password management • E-mail usage
• PC security • Internet usage
• Backups • Viruses
• Building access • Software piracy
• Social engineering and copyrights
Passwords are an integral part of overall security.
They are one of the vulnerabilities most frequently
targeted by someone trying to break into a system.
If your password is compromised, your account allows the
intruder access to do anything you are able to do on the
There are many ways that you can help protect your
password and therefore, our organization’s information.
Names: Personal Information:
• Yours • Hobbies
• Family • Favorite teams
• Pets • Birthdays
Dictionary Words: Numbers:
If used by themselves simple Numbers alone are
words make a bad password not a good password
Methods for creating strong passwords you can remember.
The Vanity Plate
Think of a password like a ‘vanity’ license plate utilizing
letters and numbers to make up a phrase.
Too late again = 2L8again
Music is for me = MusikS4me
Day after today = dayFter2day
Methods for creating strong passwords you can remember.
Compound words that we use every day are easy to
remember. Spice them up with numbers and special
characters. Also, misspell one or both of the words and
you'll get a great password
Deadbolt = Ded&bowlt8
Blackboard = blaK4borD
Seashore = Seee@SHorr
Methods for creating strong passwords you can remember.
Use the first letter of each word in a phrase or sentence.
Jack and Jill went up the hill to fetch a pail of water
Having a strong password is a great start but protecting it
can be just as important.
As we’ve previously shown, once someone knows your
user ID and your password, they have access to do
everything on our systems that you do.
Anything they do will appear as though you did it.
If you ever suspect your password has been compromised,
please change your password and contact the appropriate
Do not share your password with anyone.
Never write down your password or
store it in a computer file.
If you ever receive a telephone call
from someone claiming to need your
password, report it immediately.
When receiving technical assistance,
enter your password instead of telling
it to the technology staff member.
General PC Security
No matter what type of computer you use or where
you use it there are a few things you should always
do to protect your information.
Industry groups estimate that there are as many as
400,000 laptops stolen each year. That’s over 1,000
Laptop thieves will look for you to drop your guard:
• At an airline or rental car counter
• While waiting for your plane
• While loading your things into a taxi
• At a public pay phone
• On the train or bus
• At your hotel
• While at a meeting or conference
. . . And more
In the airport:
• Do not leave your computer bag unattended.
In the airport:
• Never check your computer as baggage.
In the airport:
• Make sure that the pathway through the metal
detector is clear before you place your computer on
the x-ray conveyor.
On a train or bus:
• Be sure to keep a grasp on your computer at all times.
• Don’t become distracted by a decoy while an
accomplice grabs your computer and runs.
In a hotel:
• When arriving at the hotel carry your computer to
your room. Do not give it to the bell man or
• If leaving your hotel room, make sure your laptop
is secured to a solid fixture.
• Keep your hotel room door locked while in the room.
Backup methods vary but there are important things to
keep in mind to help prevent a loss of information.
• Perform a full backup whenever possible.
• Do not backup over your most recent backup media.
• Use a cycle of at least three backup media.
• Frequency of backups should be appropriate for
the importance of the data on your computer.
It is important that we protect our organization’s
• to maintain customer confidence
• to maintain public image
• to remain competitive
• to protect ourselves and other employees
To help maintain the confidentiality of our information:
• Don’t leave documents unattended on the copier or
• Shred any confidential documents when discarding them.
• Encrypt highly confidential e-mail.
• Keep a “clean desk” and secure important files when leaving.
• Remove papers and wipe boards clean when finished
using conference rooms.
• When leaving at night try to exit with other co-
workers if possible. There is some truth to the
saying “safety in numbers.”
• When entering secure areas do not let strangers
‘tailgate’ in behind you.
• Never prop open doors that lead to secured areas.
• If you ever lose an access card or key, report it
immediately to the appropriate person for your
• If you encounter strangers or unknown visitors in
secured work areas, ask them if you could be of
some assistance with a simple “May I help you?”
To most people this is a new phrase:
A social engineer is a person that will deceive or
con others into divulging information that they
wouldn’t normally share.
Can you spot a social engineer in this group?
Defending against a social engineering attempt is not
easy. Usually you won’t know when it occurs until it
is too late. But there are a few things you can do that
If someone phones and asks you for information that
you know is confidential information, don’t be afraid to
ask a few questions yourself.
• Ask for the correct spelling of the caller’s name.
• Ask for a number where you can return the call.
• Ask why the information is needed.
• Ask who has authorized the request and let the
caller know that you will verify the authorization.
If an unknown person appears and asks for confidential
information try one or more of these steps:
• Ask for some identification.
• Ask who has authorized this request so that you
may verify the authorization.
• If you are not authorized to provide that information,
offer to help locate the correct person.
• Seek assistance if you are unsure.
This would include harassing messages, threats, sexually
oriented content, racist remarks, etc.
These types of potentially offensive messages have no
place within our organization.
They are a threat and a risk to the level of comfort we
would like to maintain in our work environment.
Spam is basically unsolicited and usually unwanted
e-mail that you may receive. It is usually a form of
advertisement for anything from get-rich-quick
schemes to pornography sites on the Internet.
The simplest thing to do with most spam messages is
just hit the delete key - end of story. If the problem is
persistent or you notice a lot of messages coming from
the same source, please contact our Lotus Notes
Administrator to block this source.
Chain letters and hoaxes
E-mail chain letters and hoaxes ask the receiver to
forward the message on to a specified number or as
many people as possible. This can become a burden
on e-mail systems in both traffic and storage capacity.
Most e-mail chain letters are often based on events or
occurrences that are referred to as hoaxes. They may
reference some ‘reputable’ source but not provide
any contact information.
Let’s look at one which was most frequently found...
• Tsunami Ribbon - This is a ribbon for the people’s
families who have died in the tsunami in Indonesia.
It is asked in the email to pass it on to everyone and
pray & then it says that something good will happen
to you tonight at 11:11PM. It also mentions that this
is not a joke & someone will either call you or write
to you online to say 'I Love U,' do not break this
chain; send to 13 people in the next 15 min.
Chain letters and hoaxes
Now that you know some of the characteristics of
these types of messages, you should simply delete
them when received.
You should also discourage others from spreading
these e-mails. They are a waste of your time and our
You must also be careful where you go on the web for
another reason. Anywhere you go, anything you do, can
be traced back to you and the Business networks.
You leave a trail of digital “footprints” when using the Internet
Imagine what would happen to our organization’s
image if an adult site or hate site suddenly had evidence
that one of our employees had surfed their site from our
Other Things You Should Know
If you sign-up or register with Internet sites or
services external to our organization, it is important
that you use an ID and password that is different from
the one you use on our systems.
• There are more than 80,000 viruses in existence.
• There are as many as 500 new ones being discovered
• A wide-spread virus incident can easily cause in
excess of $100,000 in damages to a single organization.
• Virus attacks cost organizations around the world
$55.1 billion in a year.
• Viruses are becoming far more malicious, being
specifically designed for destruction and damage.
Common Sources of Viruses
• Files downloaded from the Internet
• E-mail messages and attachments
• Files brought in from home computers
• Even shrink-wrapped commercial software can
be a source of virus infection
• Always use anti-virus software on your computer.
• Ensure your anti-virus software is current.
• Scan all files downloaded from the Internet.
• Scan all e-mail attachments.
• Scan diskettes and CDs before using them.
• Use anti-virus software on home computers.
• Report all virus incidents immediately.
Software Piracy and Copyrights
To help prevent violations within our organization,
let’s discuss the three general types of software
Software that may be freely copied, shared and used.
The author often restricts altering or using it as a
component of other software.
Software that may be freely copied and shared but
used only for the trial period or use stated at which
point a registration fee must be paid to continue its
Software Piracy and Copyrights
Software that must be purchased before any use
and allows for either:
• One installation per purchased copy (a retail
• A negotiated number of installations (a
corporate license); or
• Installation on all computers within an
organization (a site or enterprise license).
Software Piracy and Copyrights
• Only licensed software can be used in the company. The transfer
and use of company software to private PCs or Notebooks
is not allowed.
• The procurement of software has to be verified and approved by
the IM department.
• Installation of software, even licensed copy, can only be done or
supervised by the IM department.
The IM department reserves the right to check and, if necessary,
delete unauthorized software or data from users’ PCs or
Notebooks in order to ensure non-violation of company’s
Software Piracy and Copyrights
Material published on the Internet is also protected by
copyright law. Just because right-clicking on a picture
in your browser gives you the option to “copy” or
“save picture as,” does not mean it is legal. Generally,
unless the web site specifically states that the material
may be freely copied, it should be considered
copyrighted. Materials that are labeled as “free for
personal use” should not be copied for use within our
1. We need to protect our Business IT assets.
2. Every employee must be aware of, understand and commit
to act on any security situation quickly, appropriately and
3. IT Security is everyone’s business.
Areas taken up:
• Passwords construction • Social Engineering
• Password management • E-mail Usage
• PC Security • Internet Usage
• Data Backup • Viruses
• Building Security • Software Piracy and
• Data confidentiality Copyrights