2. Security Overview Making Security Personal Security Responsibilities Security Policies, Standards and Procedures Information Asset Privacy and Acceptable Use Questions
3. Making Security Personal What is your personal stake in security? It’s your job You are protecting your data and information You or someone you know has received a letter notifying them they will need to change out a credit card due to some form of data breach. Use information security practices at work and at home Protect your data Protect the companies data with same vigilance
4. Making Security Personal Security breaches carry real costs that affect prices, company valuation, benefits and salaries Average security breach can cost a company between $90 and $305 per lost record The number of instances of identity theft are growing exponentially every year Legislation and industry standards are starting to hold companies and individuals accountable for security
5. Making Security Personal Identity thieves pose as representatives of banks, Internet service providers (ISPs) and even government agencies to gain your trust and reveal your SSN, mother's maiden name, account numbers, and other identifying information Federal Trade Commission reported 1 in 6 consumers will be a victim of identity theft this year alone Victims spend on average $1,200 in out-of-pocket expenses and an average of 175 hours in your efforts to resolve the many problems caused by identity thieves
6.
7.
8. Creative Social Engineering Internet scam - hybrid cars in North Dakota have been tagged with fake parking citations that include a Web address hosting malicious software that drops a Trojan onto the computer. Trojan programs - Zlob is one of the most common types of software programs used to attack Windows these days. The victim is sent a link to what looks like an interesting video. When the link is clicked, the user is told to install a multimedia codec file in order to watch the video. That file is actually malicious software. Phishing kits -Some fraudsters have developed websites to sell ready-made products to other fraudsters, such as phishing kits. Recently, the RSA FraudAction Research Lab traced a new type of service on a particular website to sell HTML injections, which can be combined with Trojan attacks.
9. Very Creative Social Engineering Suspects entered the business, selected merchandise worth almost $8,000. They handed a credit card with no financial backing to the clerk which when swiped was rejected by the cash register's computer. The suspects then informed the clerk that this rejection was expected and to contact the credit card company by phone to receive a payment approval confirmation code. The clerk was then given a number to call which was answered by another person in the scam who approved the purchase and gave a bogus confirmation number. The suspects then left the store with the unpaid merchandise .
10. Creative Social Engineering Google Calendar phishing attacks - Google Calendar phishing uses event invitations to Calendar users asking them to “Verify Your Account” or face account deletion. Victims of this phish are asked to accept the invitation and confirm their user name, password and date of birth, in their acceptance Malware - hijacks the victim’s browser and directs them to a fake site masquerading as AVG – a Antivirus and antispyware protection vendor.
11. Making Security Personal More Social Engineering techniques: Skimming - thieves create an electronic device which they attach to a card reader such as an ATM. Pocket skimmers often used in restaurant settings. USB drop – hackers drop USB thumb drives with rootkits that instantly and secretly installs software (HACKSAW) that watches logins, email keystrokes and steals documents Fake wireless - Laptops will connect to "Any available network". Bogus hotspots will pass network traffic to internet and watch your activity. If file and printer sharing is enabled your files can be exposed. Mail and any purchases recorded.
12. Physical Access Controls Facilities is restricted using physical access controls Allaccess to facilities requires visual identification All employees are issued a photo security badge. The badge should be visible at all times Employees who don't have their badge when they come to work are required to obtain a temporary access badge. Lost or stolen badges should be reported immediately
13. Physical Access Controls Employees are expected to ask those who don't have a proper security badge to sign in at reception. Every Employee must swipe their access card when entering secured access doors. The door must completely close between each person in order to provide a complete access log. Piggy backing behind another employee is not permitted. Attempts to access facilities without visual identification should be reported to Security
15. Information Access Controls Logical, physical and procedural controls have been put in place to protect information assets Access to information resources are based on business need You will only have the access level needed to perform your job (read, change, etc) Access to information resources is tracked Don't attempt to access data you have no need to access
17. Protecting Against Malicious Software Use common sense and due care to protect your desktop the companies systems and the network from malicious code Be vigilant with email and email attachments Don't disable anti-virus software or attempt to change the AV configuration settings Don't bypass security controls and allow malicious code to enter the network
18. Protecting Against Malicious Software Be careful downloading Internet Explorer ActiveX Controls or web applets Be careful downloading and installing applications from the internet (including freeware and shareware) Don't download content from the Internet (MP3s, AVIs, MP4s, all audio and video content) Never consent to trust all software from a provider when prompted
20. Creating a Strong Password Passwords need to have upper and lower case alpha characters Passwords need to have at least 1 numeric or special character (!, @, #, etc.) Passwords need to be a minimum of 7 characters long Shouldn’t re-use passwords (previous 5 passwords) Passwords shouldn’t contain the same character next to each other Passwords need to be changed every 90 days (45 for administrators) Passwords shouldn’t contain your user name or the user’s full name Don’t base password on information such as user name, DOB, SSN, phone number, PIN, etc.
21. Securing Your Workstation Always “lock” workstation when leaving it unattended with Ctrl-Alt-Del and then Lock Computer Always log off or shut down workstation when leaving work Use a password protected screen saver from the list of available screen savers on your system (don't download and install screensavers) When traveling always secure an unattended laptop with a cable lock to attach it to a heavy chair, table, or desk . Use a screen guard to prevent people from peeking over your shoulder as you work on sensitive information in a public place
26. Securing Your Laptop Wireless networking Be on the lookout for fraudulent hotspots (free wireless) where data thieves mimic a valid wireless source. Verify hotspot with local coffee shop, hotel or airport Never automatically connect to available wireless sources. Always update your operating system with when critical patch notifications are issued
27. Securing Your Laptop Bluetooth is a radio communications technology allowing computers to communicate with other devices over a short range Disable Bluetooth device when not in use. Bluetooth should be “hidden” or "not discoverable“ mode when in use Password protect if available
28. Securing Your Laptop Infrared Infrared ports can be used to connect to two computers together. This may enable another computer to then browse your hard disc and access data
29. Protect Yourself from Fraud Do not write PIN on your debit card Protect access to your PIN, cover your hand to protect against video and skimming Limit amount in debit account Have alternative access to funds and credit in case your account is frozen do to fraud. Signup for purchase notification if available, e.g. Discover has alert on purchases over X amount. Use Paypal/eBay pin security device Email and restaurants number one attack vectors for electronic theft.
30. Privacy on Facebook February 12, 2009 – 6:25 AM This is an excellent article that lists 10 ways to protect your privacy on Facebook. Read the article for the full details, but here’s a quick summary: Use Your Friend Lists Remove Yourself From Facebook Search Results Remove Yourself From Google Avoid the Infamous Photo/Video Tag Mistake Protect Your Albums Prevent Stories From Showing Up in Your Friends’ News Feeds Protect Against Published Application Stories Make Your Contact Information Private Avoid Embarrassing Wall Posts Keep Your Friendships Private Good advice for all Facebook users.
31. And Always Use antivirus software and keep it up-to-date to protect against the latest threats. Use a personal firewall, preferably one that offers both inbound and outbound permission-based monitoring. An excellent option is the free Comodo personal firewall. Consistently apply patches. Microsoft releases new patches the second Tuesday of every month. Don't neglect vendor software. Firefox users and Mac users need to be diligent about applying patches