The document discusses various cybersecurity risks and best practices for protection. It notes that the internet allows attackers to strike from anywhere in the world. Poor security practices can enable identity theft, monetary theft, and legal issues. According to SANS.org, the top vulnerabilities are web browsers, IM clients, web applications, and excessive user rights. The document provides tips for protecting computers and data, such as using secure passwords, updating software, and practicing safe online behaviors. It also outlines common cyber attacks like viruses, worms, trojans, and social engineering and recommends defenses such as antivirus software, firewalls, and regular software updates.
Awareness Training on Information SecurityKen Holmes
We look at the potential risks to information security, how to minimise these when on the internet and how the ISO/IEC 27001 standard can play a part in doing so.
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
Cyber Security Awareness Session conducted by Lightracers Consulting, for Management and non-IT employees. In this learning presentation, we will look at - What is Cyber Crime, Types of Cyber crime, What is Cyber Security, Types of Threats, Social Engineering techniques, Identifying legitimate and secure websites, Protection measures, Cyber Law in India followed by a small quiz.
Information Security Awareness for everyoneYasir Nafees
SAFE (which stands for Security Awareness For Everyone) is an information security awareness program designed to help organizations creating a well informed and risk-aware culture. SAFE focuses on learning to make it important for everyone to be fully informed and take responsibility to protect organization’s most important asset, “The Information”.
A single email can cause a multi-million dollar breach if opened by an end-user with no security awareness, they may not even be aware of their mistake. The problem lies in the fact that only a few end-users are aware of the dangers of social engineering, much less how to detect it. It is a major issue in the business world today.
This document seeks to address the most common threats that can be posed to an entity and also recommend security measures that can be implemented to avoid such attacks.
Learn more at https://www.multinationalnetworks.com
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
Information Security Awareness
Tips to improve infosec awareness in any organization
To learn more visit http://www.SnapComms.com/solutions/employee-security-awareness
Awareness Training on Information SecurityKen Holmes
We look at the potential risks to information security, how to minimise these when on the internet and how the ISO/IEC 27001 standard can play a part in doing so.
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
Cyber Security Awareness Session conducted by Lightracers Consulting, for Management and non-IT employees. In this learning presentation, we will look at - What is Cyber Crime, Types of Cyber crime, What is Cyber Security, Types of Threats, Social Engineering techniques, Identifying legitimate and secure websites, Protection measures, Cyber Law in India followed by a small quiz.
Information Security Awareness for everyoneYasir Nafees
SAFE (which stands for Security Awareness For Everyone) is an information security awareness program designed to help organizations creating a well informed and risk-aware culture. SAFE focuses on learning to make it important for everyone to be fully informed and take responsibility to protect organization’s most important asset, “The Information”.
A single email can cause a multi-million dollar breach if opened by an end-user with no security awareness, they may not even be aware of their mistake. The problem lies in the fact that only a few end-users are aware of the dangers of social engineering, much less how to detect it. It is a major issue in the business world today.
This document seeks to address the most common threats that can be posed to an entity and also recommend security measures that can be implemented to avoid such attacks.
Learn more at https://www.multinationalnetworks.com
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
Information Security Awareness
Tips to improve infosec awareness in any organization
To learn more visit http://www.SnapComms.com/solutions/employee-security-awareness
Infections cost organizations billions of dollars in lost time and productivity, as well as ransom payments and other indirect costs, like damage to a business’s reputation.
End-users will learn about password management, multi-factor authentication and how to secure their laptops and desktops while working remotely.
This session will teach professionals how to avoid becoming a statistic.
Agenda: Foundations of security awareness | Common threats | Three ways to secure your work environment | Best practices for users | The work from home checklist
Companies are struggling to deal with the unstoppable growth of cyber-attacks as hackers get faster, sneakier and more creative. The bad news is - no company is immune, no matter how big or small you are. Without a proper understanding of zero-day threats, companies have no way of exposing the gaps of overhyped security solutions.
Zero-day exploit leaves NO opportunity for detection. This presentation will highlight critical insights combating zero-day threats.
Building An Information Security Awareness ProgramBill Gardner
Most organization’s Security Awareness Programs suck. They involved ‘canned’ video presentations or someone is HR explaining computer use policies. Others are extremely expensive and beyond the reach of the budgets of smaller organizations. This talk will show you how to build a Security Awareness Program from scratch for little or no money, and how to engage your users so that they get the most out of the program.
Employee Awareness in Cyber Security - KloudlearnKloudLearn
The goal of employee awareness in cybersecurity is to make employees aware of the procedures, policies, guidelines, and practices for configuring, managing, and executing cybersecurity in the organization.
Information Security Awareness, Petronas Marketing SudanAhmed Musaad
A two hours security awareness session that I presented for Petronas Marketing Sudan employees. The session includes -- but not limited to -- many topics like Passwords, Email Security, Social Networks Security, Physical Security, and Laptop Security.
You can use this as an introductory session for your security awareness training, but not as a sufficient one time session at all.
Your comments, feedback, and suggestions are much appreciated.
Infections cost organizations billions of dollars in lost time and productivity, as well as ransom payments and other indirect costs, like damage to a business’s reputation.
End-users will learn about password management, multi-factor authentication and how to secure their laptops and desktops while working remotely.
This session will teach professionals how to avoid becoming a statistic.
Agenda: Foundations of security awareness | Common threats | Three ways to secure your work environment | Best practices for users | The work from home checklist
Companies are struggling to deal with the unstoppable growth of cyber-attacks as hackers get faster, sneakier and more creative. The bad news is - no company is immune, no matter how big or small you are. Without a proper understanding of zero-day threats, companies have no way of exposing the gaps of overhyped security solutions.
Zero-day exploit leaves NO opportunity for detection. This presentation will highlight critical insights combating zero-day threats.
Building An Information Security Awareness ProgramBill Gardner
Most organization’s Security Awareness Programs suck. They involved ‘canned’ video presentations or someone is HR explaining computer use policies. Others are extremely expensive and beyond the reach of the budgets of smaller organizations. This talk will show you how to build a Security Awareness Program from scratch for little or no money, and how to engage your users so that they get the most out of the program.
Employee Awareness in Cyber Security - KloudlearnKloudLearn
The goal of employee awareness in cybersecurity is to make employees aware of the procedures, policies, guidelines, and practices for configuring, managing, and executing cybersecurity in the organization.
Information Security Awareness, Petronas Marketing SudanAhmed Musaad
A two hours security awareness session that I presented for Petronas Marketing Sudan employees. The session includes -- but not limited to -- many topics like Passwords, Email Security, Social Networks Security, Physical Security, and Laptop Security.
You can use this as an introductory session for your security awareness training, but not as a sufficient one time session at all.
Your comments, feedback, and suggestions are much appreciated.
Cybersafety is the safe and responsible use of information and communication technology. It is about keeping information safe and secure, but also about being responsible with that information, being respectful of other people online, and using good 'netiquette' (internet etiquette).
A brief introduction on Internet Security.
After viewing this presentation you would able to find answer for the below questions... !!!
How are credit cards getting hacked ?
How are emails getting hacked?
How are computers getting hacked ?
Regards
Avnish
Every Small Scale Business needs the internet to thrive, we have put this presentation together to serve as a blueprint to guide Small Medium Enterprise Owners on how to trade safely online .
The IoT Era Begins
Components of IoT-Enabled Things
IoT Reference model
IoT Security
IoT Security & Privacy Req. defined by ITU-T
An IoT Security Framework
IoT Security Challenges
Internet of Things - Liability
IoT security tools
MEANING OF RESEARCH
OBJECTIVES OF RESEARCH
CHARACTERISTICS OF RESEARCH
CRITERIA OF A GOOD RESEARCH
QUALITIES OF GOOD RESEARCH
RESEARCH MOTIVATIONS
TYPES OF RESEARCH
PROBLEMS IN RESEARCH
RESEARCH APPROACHES
RESEARCH PROCESS
LITERATURE REVIEW
HYPOTHESIS
CRITERIA OF GOOD RESEARCH
PROBLEMS ENCOUNTERED BY RESEARCHER
Symmetric encryption and message confidentialityCAS
Symmetric Encryption Principles
Data Encryption Standard
Advanced Encryption Standard
Stream Ciphers and RC4
Cipher Block Modes of Operation
Key Distribution
12.1 Security Awareness, Training, and Education
12.2 Polices and Employment Practices
12.3 E-Mail and Internet Use Policies
12.4 Computer Security Incident Response Teams
1 Symmetric Encryption
2 Message Authentication and Hash Functions
3 Public-Key Encryption
4 Digital Signatures and Key Management
5 Random and Pseudo random Numbers
6 Practical Application: Encryption of Stored Data
7 Symmetric vs Asymmetric
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Information security awareness
1.
2. The internet allows an attacker to attack from anywhere on the planet.
Risks caused by poor security knowledge and practice:
IdentityTheft
MonetaryTheft
Legal Ramifications (for yourself and companies)
Termination if company policies are not followed
According to www.SANS.org , the top vulnerabilities available for a cyber
criminal are:
Web Browser
IM Clients
Web Applications
Excessive User Rights
3. Security: We must protect
our computers and data in
the same way that we
secure the doors to
our homes.
Safety: We must behave in
ways that protect us
against risks and threats
that come with technology.
4.
5. Cracker:
Computer-savvy
programmer creates
attack software
Script Kiddies:
Unsophisticated
computer users
who know how to
execute programs
Hacker Bulletin Board
SQL Injection
Buffer overflow
Password Crackers
Password Dictionaries
Successful attacks!
Crazyman broke into …
CoolCat penetrated…
Criminals:
Create & sell bots -> spam
Sell credit card numbers,…
System Administrators
Some scripts are useful
to protect networks…
Malware package=$1K-2K
1 M Email addresses = $8
10,000 PCs = $1000
7. A virus attaches itself to a program, file, or disk
When the program is executed, the virus activates and
replicates itself
The virus may be benign or malignant but executes its
payload at some point (often upon contact)
Viruses result in crashing of computers and loss of data.
In order to recover/prevent virus/attacks:
Avoid potentially unreliable websites/emails
System Restore
Re-install operating system
Anti-virus (i.e. Avira, AVG, Norton)
Program
A
Extra Code
Program
B
infects
8. Independent program which replicates itself and sends copies from computer
to computer across network connections. Upon arrival the worm may be
activated to replicate.
To Joe
To Ann
To Bob
Email List:
Joe@gmail.com
Ann@yahoo.com
Bob@uwp.edu
9. Logic Bomb: Malware logic executes upon certain conditions.
Program is often used for legitimate reasons.
• Software which malfunctions if maintenance fee is not paid
• Employee triggers a database erase when he is fired.
Trojan Horse: Masquerades as beneficial program while quietly
destroying data or damaging your system.
• Download a game: Might be fun but has hidden part that emails your
password file without you knowing.
10. Social engineering manipulates people into performing actions or divulging confidential
information. Similar to a confidence trick or simple fraud, the term applies to the use of
deception to gain information, commit fraud, or access computer systems.
Phone Call:
This is John,
the System
Admin. What
is your
password?
Email:
ABC Bank has
noticed a
problem with
your account…
In Person:
What ethnicity
are you? Your
mother’s
maiden name?
and have
some
software
patches
I have come
to repair
your
machine…
11. Phishing: a ‘trustworthy entity’ asks
via e-mail for sensitive information
such as SSN, credit card numbers,
login IDs or passwords.
12. The link provided in the e-mail leads to a fake webpage which
collects important information and submits it to the owner.
The fake web page looks like the real thing
• Extracts account information
13. A botnet is a large number of compromised computers that are used to create and
send spam or viruses or flood a network with messages as a denial of service attack.
The compromised computers are called zombies
14. An attacker pretends to be your final destination on the network. If a person
tries to connect to a specific WLAN access point or web server, an attacker
can mislead him to his computer, pretending to be that access point or
server.
15. Upon penetrating a computer, a hacker
installs a collection of programs, called a
rootkit.
May enable:
Easy access for the hacker (and others)
Keystroke logger
Eliminates evidence of break-in
Modifies the operating system
Backdoor entryKeystroke Logger Hidden user
16. Pattern Calculation Result Time to Guess
(2.6x1018
/month)
Personal Info: interests, relatives 20 Manual 5 minutes
Social Engineering 1 Manual 2 minutes
American Dictionary 80,000 < 1 second
4 chars: lower case alpha 264
5x105
8 chars: lower case alpha 268
2x1011
8 chars: alpha 528
5x1013
8 chars: alphanumeric 628
2x1014
3.4 min.
8 chars alphanumeric +10 728
7x1014
12 min.
8 chars: all keyboard 958
7x1015
2 hours
12 chars: alphanumeric 6212
3x1021
96 years
12 chars: alphanumeric + 10 7212
2x1022
500 years
12 chars: all keyboard 9512
5x1023
16 chars: alphanumeric 6216
5x1028
17. Symptoms:
Antivirus software detects a problem
Pop-ups suddenly appear (may sell security software)
Disk space disappears
Files or transactions appear that should not be there
System slows down to a crawl
Unusual messages, sounds, or displays on your monitor
Stolen laptop (1 in 10 stolen in laptop lifetime)
Your mouse moves by itself
Your computer shuts down and powers off by itself
Often not recognized
18. Spyware symptoms:
• Change to your browser homepage/start page
• Ending up on a strange site when conducting a search
• System-based firewall is turned off automatically
• Lots of network activity while not particularly active
• Excessive pop-up windows
• New icons, programs, favorites which you did not add
• Frequent firewall alerts about unknown programs trying to
access the Internet
• Bad/slow system performance
19.
20. Defense in depth uses multiple layers of defense to address technical, personnel
and operational issues.
21. Anti-virus software detects malware and can destroy it before any damage is done
Install and maintain anti-virus and anti-spyware software
Be sure to keep anti-virus software updated
Many free and pay options exist
22. A firewall acts as a wall between your computer/private network and the
internet. Hackers may use the internet to find, use, and install applications on
your computer. A firewall prevents hacker connections from entering your
computer.
Filters packets that enter or leave your computer
23. Microsoft regularly issues patches or updates to solve security problems in
their software. If these are not applied, it leaves your computer vulnerable to
hackers.
The Windows Update feature built intoWindows can be set up to
automatically download and install updates.
Avoid logging in as administrator
25. Combine 2 unrelated
words
Mail + phone = m@!lf0n3
Abbreviate a phrase My favorite color is blue=
Mfciblue
Music lyric Happy birthday to you,
happy birthday to you,
happy birthday dear John,
happy birthday to you.
hb2uhb2uhbdJhb2u
26. Never use ‘admin’ or ‘root’ or ‘administrator’ as a login for the admin
A good password is:
• private: it is used and known by one person only
• secret: it does not appear in clear text in any file or program or on a piece of paper pinned to the
terminal
• easily remembered: so there is no need to write it down
• at least 8 characters, complex: a mixture of at least 3 of the following: upper case letters, lower
case letters, digits and punctuation
• not guessable by any program in a reasonable time, for instance less than one week.
• changed regularly: a good change policy is every 3 months
Beware that someone may see you typing it. If you accidentally type your
password instead of your login name, it may appear in system log files
27. Do not open email attachments unless you are expecting the email with the
attachment and you trust the sender.
Do not click on links in emails unless you are absolutely sure of their validity.
Only visit and/or download software from web pages you trust.
28.
29. Always use secure browser to do online activities.
Frequently delete temp files, cookies, history, saved passwords etc.
https://
Symbol showing
enhanced security
30. No security measure is 100%
What information is important to you?
Is your back-up:
Recent?
Off-site & Secure?
Process Documented?
Tested?
Encrypted?
31. Organizations lose 5-6% of revenue
annually due to internal fraud = $652
Billion in U.S. (2006)
Average scheme lasts 18 months, costs
$159,000
25% costs exceed $1M
Smaller companies suffer greater
average $ losses than large companies
Internal Fraud Recovery
$0 Recovered
Recovery<=25%
Substantial Recovery
32. Tips are most common way fraud is discovered.
Tips come from:
• Employee/Coworkers 64%,
• Anonymous 18%,
• Customer 11%,
• Vendor 7%
If you notice possible fraud, CONTACT: ??????????
0
5
10
15
20
25
30
35
40
Tip By Accident Internal Audit Internal Controls External Audit Notified by
Police
%
How Fraud is Discovered
33. How is information security confidentiality to be
handled? Show table of how information
confidentiality is categorized and treated.
Is there specific legal actions all employees should be
concerned with?
Physical security – how are the rooms laid out and how
is security handled?
Handling information at home on home computer –
any special restrictions?
On fraud slide, specify contact if fraud is suspected.
Additional Slides to insert
34. These are best practices involving Information Security.
• Most of these practices are from the National Institute of Standards
andTechnology.
Use these practices at home and at work to keep safe and
secure.
Employers have policies and procedures regarding secure
practices. Be sure to understand them and adhere to
them. It will protect you, your employer and your
customers.
Editor's Notes
Security: The way in which we protect access to our computers and information. E.g. Anti-virus software, firewall
Safety: The we behave while using the internet. E.g. Safe email behavior, safe software downloading behavior
Stress the difference and the importance of both together to provide a safe and secure computing environment.
Users must be aware of the threats that exist in order to properly detect and prevent them.
Each of these will be covered thoroughly in the slides that follow.
Viruses
Computer viruses are software programs that are deliberately designed by online attackers to invade your computer, to interfere with its operation, and to copy, corrupt or delete your data. These malicious software programs are called viruses because they are designed not only to infect and damage one computer, but to spread to other computers all across the Internet.
Computer viruses are often hidden in what appear to be useful or entertaining programs or e-mail attachments, such as computer games, video clips or photos. Many such viruses are spread inadvertently by computer users, who unwittingly pass them along in e-mail to friends and colleagues.
Worms
Worms are more sophisticated viruses that can replicate automatically and send themselves to other computers by first taking control of certain software programs on your PC, such as email.
Logic Bomb
Malware that destroys data when certain conditions are met. E.g., it may format a hard drive or change data files (possibly by inserting random bits of data) on a particular date or time or if a certain employee record is missing from the employee database.
Example: an employee places a logic bomb inside a system to destroy data when his/her record is removed upon termination.
Trojan Horses
A Trojan horse is a program which seems to be doing one thing, but is actually doing another. A Trojan horse can be used to set up back door in a computer system so that the intruder can gain access later.
The name refers to the horse from the Trojan War, with similar function of deceiving defenders into bringing an intruder inside.
Social Engineering can occur in-person, over the phone, in emails or fake web pages.
Social Engineering: non-technical or low-technology means - such as lies, impersonation, tricks, bribes, blackmail, and threats - used to attack information systems.
The next two slides discuss two types of Social Engineering: phishing and pharming.
Phishing: A type of Social Engineering. The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the user is doing business with.
Pharming: Another type of social engineering. A user’s session is redirected to a masquerading website. At the fake website, transactions can be mimicked and information like login credentials can be gathered. With this the attacker can access the real site and conduct transactions using the credentials of a valid user on that website.
When your computer becomes infected, it is likely to become a bot. Because attacks are international, they are hard to eliminate.
Zombie: a compromised computer which may host pornography, illegal music and/or movies
Botnet: a “zombie army,” or collection of compromised computers, zombies, used to send out spam, viruses or distributed denial of service attacks.
RootKit: A collection of programs that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network.
This chart shows the different combinations of passwords and password lengths and how long a dictionary attack or brute force attack would take to guess the password.
Discussion of proper password creation and change techniques will occur later in the User Practices section of the presentation.
At this stage just discuss the attacks and comparisons to password lengths and patterns.
Brute Force Attack: A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one.
Dictionary Attack: An attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations.
What are the best practices to avoid all the threats we have been discussing?
Attackers are always creating new viruses, so it is important that anti-virus software stay updated.
Anti-virus and anti-spyware software should be updated on a regular basis.
Anti-virus should be set to auto update at 12 midnight and then do a scan at 12:30.
Anti-spyware should be set to auto update at 2:30 am and then a full system scan should be done at 3:00 am, this procedure makes sure that only one activity is performed at a time.
If the employees work from home, they should also have anti-virus and anti-spyware installed on their home computers.
Windows has a firewall built-in. Be sure to always have it on.
It is necessary to have software firewalls on each computer even if you have a hardware firewall protecting your network. If your hardware firewall is compromised by a hacker or by malicious code of some kind, you don’t want the intruder or malicious program to have unlimited access to your computers and the information on those computers.
Every computer in the network should have its own software firewall enabled.
The Microsoft operating system has an built-in firewall, which can be easily located in the control panel. Ensure it is always turned on.
For other commercial operating system, the operations manual should have instructions about the firewall options.
For an added layer of security, commercial firewall software can be installed.
Windows has automatic update features that should be turned on.
Operating system should be regularly updated with the latest patches and updates provided by the vendors.
Major software applications like Microsoft Office should also be regularly updated.
Other installed business applications should also be updated on a regular basis.
Never use an admin account to surf the web, since in case of a compromise the malicious code would have admin rights.
Bad passwords on top, good passwords on bottom.
Start with a word(s) and do some changes such as: abbreviating, keypad shift, intertwine letters, synonyms, etc.
Other password creation techniques:
Combining words using symbols and numbers
Abbreviating a phrase
Using music lyrics, poems or quotes
Good password techniques:
Private: tell no one your password
Secret: never write your password down
Easily remembered: use something you know well, then change slightly as mentioned previously
Secure combination of letters, numbers and symbols
Change your password at least every three months
Watch for shoulder surfers or other physical techniques to gain password
Email Attachments
Attachments should be opened only from trusted senders.
If you are not expecting an email attachment from the sender, it’s a good idea to call and confirm, before opening the attachment.
Spam email often asks for sensitive information.
Links in emails
Never click on link in email attachment, except only when you are expecting it.
If you are not expecting an email link from the sender, it’s a good idea to call and confirm, before clicking the email link.
If you hover the cursor over an email’s web link description, the link should be displayed on the bottom of the browser. Make sure both of them match.
Trustworthy Web Pages
Software download should be done only from trusted websites like Microsoft for Windows updates and Office application updates.
Avoid downloading and using freeware or shareware, since most of them either don’t come with technical support or full functionality.
A pop-up blocker should be installed (many browsers have them as add-ons), but they do not always block all pop-ups
Do not respond to pop ups while working online. For example, a malicious pop up message may say that you have a virus on the system. Close it by clicking on X in the upper right corner. If you click OK, it might install spyware or other malicious code.’
Infected USB drives are often left unattended by hackers in public places. They intend for unsuspecting people to take the USB home or to the office and unknowingly install the worm or malicious code.
Always use secure browser to do online activities.
Frequently delete temp files, cookies, history, saved passwords etc.
Look for https and/or lock or secure symbol
Backup should be done (at least)once a week. If possible, store to a removable media.
The removable media should be big enough to hold 52 weeks of backup (e.g., 500GB).
Do a full backup once a month and store it in offsite location. This would be useful in case of a disaster in your office (fire, theft, flood, etc). On the removable media create 12 folders for each month.
Backup data should be tested periodically to ensure reliability.
Tips on fraud are most frequent method of discovering it.
The percentages given for where the tips come from are percentages of total tips, not total fraud discoveries.