Information Security Awareness to non-technical staff

1. Information Security Awareness
– Basic Training
Mohammed Abdul Mateen
Version: 0.2
Date: November 21, 2020

2. WHY INFORMATION SECURITY?

3. DATA CLASSIFICATION
File types, Pdf, sql, exe, bat, mov, jpg …

4. DATA IS THE NEW OIL

5.  Good security standards follow the 90/10 rule:
 10% of security safeguards are technical
 90% of security safeguards rely on the computer user to
adhere to good computing practices
 Example: The lock on the door is the 10%. Remembering to
lock, checking to see if it is closed, ensuring others do not
prop the door open, keeping control of keys is the 90%. Don't
take shortcuts.
THE 90/10 RULE

6. PART 1.
PHISHING
Safeguarding your email.
A. Emails
B. Email attachments
C. Spam

7.  Phishing is a cybercrime in which a target or targets are
contacted by email, telephone or text message by someone
posing as a legitimate institution to lure individuals into
providing sensitive data such as personally identifiable
information, banking and credit card details, and passwords.
 Top Tips:
1. Check who the email sender really is.
2. Check the email for grammar and spelling mistakes.
3. Mouse over the link. Type in the company's URL in your
browser.
4. Contact your IT Security team if you're unsure at all about
an email.
A. EMAILS

8.  Most viruses, Trojan horses, and worms are activated when
you open an attachment or click a link contained in
an email message. If your email client allows scripting, then it
is possible to get a virus by simply opening a message. It's
best to limit what HTML is available in your email messages.
 Top Tips:
1. Never open or save attachments from an unknown sender.
2. If it looks fishy, don't open or save the attachment.
3. Let your IT department know if you receive a suspicious
email.
B. EMAIL ATTACHMENTS

9.  Spam email is unsolicited and unwanted junk email sent out
in bulk to an indiscriminate recipient list. Typically, spam is
sent for commercial purposes. It can be sent in massive
volume by botnets, networks of infected computers.
 Top Tips for Spam Protection
1. Utilize a different provider or 3rd party product if necessary.
2. Never click, open, or respond to spam messages.
3. When posting email to classified sites, use the following
format to keep spam bots from retrieving and using your
address: abdul.mateen (at) email.com
C. SPAM

10.  Nothing is free.
 No Nigerian princes
 No Swedish lottery winners, etc.
THE FREE WORLD

11. PART 2.
PASSWORDS
Fortify your accounts with secure passwords
1. Personal Info in Passwords
2. Reusing Passwords
3. Password Management
4. Two-factor authentication

12.  Typically, users practice risky behavior with respect to
passwords.
 Passwords nowadays can be a gateway into identify theft.
USERS AND POOR PASSWORD HYGIENE

13.  Passwords sometimes are extracted
 Very simple to try all alternative options of password-base
DATA BREACHES LEAD TO PASSWORD
PROBLEMS BECAUSE ..
Example
 Password that was stolen was elephant
 Password required by website is 8 characters 1 symbol
 32 symbols on the computer (would take a human 5 minutes)
 Computers can carry out these tasks in fractions of a second

14.  Typically, users are honest when filling out security questions.
 Malicious parties can utilize social media to find out the
answers to these questions, which allows them to reset your
password.
 Best practice is to not be honest when filling out these
questions. Treat security questions as another password field.
SECURITY QUESTIONS

15.  If you have trouble remembering passwords or creating unique
passwords, utilize a password manager.
 There are several very secure password managers on the
market that work across all OSes.
 They will remember and auto-complete your passwords for you
once your "master" password is entered.
PASSWORD MANAGERS

16. https://haveibeenpwned.com/
 Currently checks 210 websites
 2.6 billion compromised accounts contained
 Treat it like a credit-check
PASSWORD HYGIENE CHECKUP

17.  Choose a good one
 Don't share it
 Replace it often
 Don't recycle an old one
PASSWORDS SHOULD BE TREATED LIKE
TOOTHBRUSHES

18. Two-Factor Authentication for better protection
 2FA is a great way to protect your email from being
compromised, particularly important for email.
 As opposed to the standard password authentication, 2FA OTP
(One-time password) uses two elements:
Something that user knows
Something that user has
MULTIFACTOR AUTHENTICATION

19.  Utilize unique passwords across all websites/applications
 Enable and utilize 2FA on all websites that allow it
 Bigger is better
 Choose unique, non-true security questions.
 If a data breach occurs, fully change your password
TOP TIPS FOR PASSWORD SAFETY

20. PART 3.
MALWARE
Steer clear of Malware
1. Types of Malware
2. Malware Targets
3. How Malware gets to you

21. MALWARE FAMILIES
Viruses, Worms,
Trojans,
Ransomware,
Rootkits,
Spyware ..
Malware includes numerous threat families, all with different
names like,

22.  Malware definitely exists on other operating systems (OSes)
outside Windows.
 Windows is typically the major target due to high market
share.
 High penetration rate when new malware is released on other
OSes, because people believe their devices are safe without
having any endpoint security installed.
IS MALWARE ON WINDOWS ONLY?

23.  Mobile phone malware is a growing threat because users do
most internet browsing on a cell phone.
 Ransomware, or screen locking malware, is a popular threat
on mobile devices.
 In 2016, malware targeting Apple iOS (iPhones, iPads)
increased.
 Users must depend on the company to fix any vulnerabilities.
IS MALWARE ON MOBILE PHONES?

24. How does my computer get infected?
 Clicking malicious links in email
 Plugging in an unknown flash drive
 Downloading malware masquerading as other software
How does my mobile device get infected?
 Clicking malicious links in email
 Downloading malware masquerading as other software
 Installing 3rd party apps directly from the internet instead of
via official stores such as Google Play or Apple's App Store.
HOW DOES WE GET INFECTED?

25.  1. Install endpoint security on all devices.
 2. Be careful what you plug in. Be careful what you click.
 3. Get awareness training to all of your family members.
TOP TIPS TO AVOID MALWARE

26. PART 4.
INTERNET
SAFETY
1. Public Wi-Fi
2. IoT Devices
3. HTTPS
4. Web Content Filter
5. Search Engine Safety

27.  Do not assume that a network
named "Library" is actually the
wireless network for the Public
Library.
 Verify with the business owner
the name of their network.
PUBLIC WI-FI
 In very insecure, so you should treat
every public Wi-Fi connection as
compromised (Unsafe)
 Don't utilize any sensitive websites
when connected (banking, social
networking etc.)
 If you need to access one of these
sites, utilize your cell phone and do not
connect it to Wi-Fi

28.  Seriously, Don't. Life or Death - Use your phone as a hotspot.
 Verify the Wi-Fi name with the business owner prior to
connecting
 Treat public Wi-Fi connections as compromised (Unsafe)
 Utilize an anti-malware product to help prevent against cyber
attacks while connected
TOP TIPS FOR PUBLIC WI-FI

29.  Examples of IoT devices include internet-connected thermostats,
appliances, and closed circuit cameras.
 This type of internet connection is convenient, but opens up a security
hole that needs to be secured.
 If you can connect to it from anywhere, that means anyone can - by
simply guessing your password
 Disable any web features that you do not utilize
 Make sure all IoT devices are kept up to date
 Routers are the first line of defense to protect IoT devices from
exploitation
INTERNET OF THINGS (IOT) DEVICES
 Routers should be immediately
configured to change the default
username and password to
something unique
 If someone gains access to your
router they can see all other
devices on your network
 Make sure your router is
regularly updated to avoid
exploitation

30.  Change default usernames and passwords on all devices
including routers
 If you do not utilize the web features, disable them
 Make sure all IOT devices, including routers, are kept up to
date with the newest firmware
TOP TIPS FOR INTERNET OF THINGS (IOT)

31.  Is a protocol for secure communication over a computer
network which is widely used on the internet
 HTTPS is typically notated by displaying a green lock in the
web address bar
 No sensitive information should be typed into a page that is
not secured b HTTPS
 Even though a page is secured with HTTPS, it does not
automatically mean the page is safe
 Most browsers have begun to let users know more easily when
they are on a non-secure page
HTTPS

32.  Before entering sensitive information, check to see if the site
is secured by HTTPS
 Check to make sure this is a reputable website before
entering credit card information; don't just depend on the
HTTPS indicator
TOP TIPS FOR SECURE WEBSITES (HTTPS)

33. WEB CONTENT FILTER
 Filters web traffic based on
preconfigured policies set by
the administrator.
 There are both home versions
and corporate versions
 Home versions focus on child
safety, while corporate
versions focus on employee
productivity
 Not only can it restrict the
content that is displayed to a
certain audience, it can also
be utilized to filter malicious
content and protect the user

34.  Increase employee productivity by implementing a web filter
 Curb risky user behaviors and reduce malware exposure by
implementing a web filter
 Protect children's mobile devices and computers from
displaying inappropriate content with a web filter
TOP TIPS FOR WEB CONTENT FILTERING

35.  Nowadays, users utilize search engines
to ask every question they can think of
 Users click on search results without
first checking if it is a legitimate site
 This happens commonly on social
media websites as well
 Even if the website is reputable, the
advertisement could be malicious and
infect your computer or mobile device
 Free things (music, movies, game
cheats, etc.) are very commonly filled
with malware, and are rarely what they
say they are
 'Review' sites make money by traffic.
SEARCH ENGINE SAFETY

36. Search Engines - Results aren't necessarily results
 Stick to clicking on sites on the first page of results
 Be careful when clicking on non-name recognizable sites
 Malware commonly masquerades as free things
TOP TIPS FOR SEARCH ENGINE SAFETY

37. PART 5.
PERSONALIZED
THREATS
1. Social Engineering
2. Insider Threats

38.  Be cautious disclosing information
 Verify the credentials of all contractors
 When in doubt call the official company
TOP TIPS FOR SOCIAL ENGINEERING

39.  Increase employee awareness to cybercriminal tactics
 Implement a data use policy for what employees may or may
not do
 Implement security tools to help prevent, protect, detect and
respond
 Consider physical security as part of your data protection plan
TOP TIPS FOR INSIDER THREATS

40.  Avoid doing personal activities on work computers, when
possible.
 Avoid doing work activities on personally owned devices, when
possible.
 Co-mingling of information is bad for you and bad for your
employer.
DON'T MIX BUSINESS WITH PLEASURE

41.  Report suspected malware and phishing incidents
 Report suspected social engineering
 Report suspicious behavior of insiders
 Report anything that seems odd or out of place, including the
circumvention of physical, technical and administrative
controls
DON'T ASSUME ANYTHING

42. PART 6.
CURRENT
ERA
1. Cyber Security Risks during current pandemic has
increased many folds

49. PART 7.
TO OUR KIDS
GO SAFE ONLINE
Cyber Security awareness to Kids at our homes

50.  Kids ages 8-18 spend 7hours and 38minutes per day online
 Some common online issues kids face include:
 Cyber Predators
 Cyber Bullying
 Identity Theft
THE DIGITAL LIVES OF CHILDREN

52.  Keep your personal information private; avoid sharing your name,
address, telephone number, birthday, passwords, and the name of your
school when using the internet
 Think twice before you post or say anything online; once it is in
cyberspace, it's out there forever
 Treat others like you want to be treated
 Speak up. If you see something inappropriate, let the website know and
tell an adult you trust. Don't stand for bullying -- Online or Off.
 Choose a screen name or email address that isn't your real name to
protect your identity. For instance, instead of "Abdul Mateen", why not
choose "Sk8boardKing?"
TIPS TO SHARE WITH YOUR KIDS
 Don't share your passwords with anyone
 Think before you click - don't open emails
from strangers and don't click on links for
unfamiliar sites
 Use and check your privacy settings on
social networking sites like Facebook and
Twitter

53. Thank you.
Mohammed Abdul Mateen
mateen.a@liveewire.com
+91 96424 11000