This document provides an overview of security awareness and responsibilities. It discusses making security personal and protecting personal information from identity theft. Various social engineering techniques used by thieves like phishing and pretexting are described. The document emphasizes creating strong passwords, securing workstations and laptops, and protecting against malware. Privacy settings for social media like Facebook are also addressed.

1. Security AwarenessOverview

2. Security OverviewMaking Security PersonalSecurity ResponsibilitiesSecurity Policies, Standards and ProceduresInformation Asset Privacy and Acceptable UseQuestions

3. Making Security PersonalWhat is your personal stake in security? It’s your job You are protecting your data and informationYou or someone you know has received a letter notifying them they will need to change out a credit card due to some form of data breach.Use information security practices at work and at homeProtect your data Protect the companies data with same vigilance

4. Making Security PersonalSecurity breaches carry real costs that affect prices, company valuation, benefits and salariesAverage security breach can cost a company between $90 and $305 per lost record The number of instances of identity theft are growing exponentially every year Legislation and industry standards are starting to hold companies and individuals accountable for security

5. Making Security PersonalIdentity thieves pose as representatives of banks, Internet service providers (ISPs) and even government agencies to gain your trust and reveal your SSN, mother's maiden name, account numbers, and other identifying informationFederal Trade Commission reported 1 in 6 consumers will be a victim of identity theft this year alone Victims spend on average $1,200 in out-of-pocket expenses and an average of 175 hours in your efforts to resolve the many problems caused by identity thieves

6. Making Security PersonalIdentity thieves use:Steal your mail or submit a change of address form for your mailSteal personnel records from their employersFamily member assume identityBe aware and cautious of social engineering methods at home or at work.is the art of deception.

7. fool you into giving them information you would normally not disclose.Making Security PersonalSocial Engineering techniques:Phishing is where the thief will email a legitimate looking email from your bank or suggest a problem with your eBay or Paypal account.Spear phishing email usually contains personal information such as a name or some tidbit about employment. Pretexting is where a person pretending to be with a legitimate company, like your insurance company, will call and try to get you to verify your account numbers or even your SSN also known as vishing (Voice Phishing)Pharming (pronounced farming) is a redirect of a website's traffic to another, bogus website

8. Creative Social EngineeringInternet scam - hybrid cars in North Dakota have been tagged with fake parking citations that include a Web address hosting malicious software that drops a Trojan onto the computer.Trojan programs - Zlob is one of the most common types of software programs used to attack Windows these days. The victim is sent a link to what looks like an interesting video. When the link is clicked, the user is told to install a multimedia codec file in order to watch the video. That file is actually malicious software.Phishing kits -Some fraudsters have developed websites to sell ready-made products to other fraudsters, such as phishing kits. Recently, the RSA FraudAction Research Lab traced a new type of service on a particular website to sell HTML injections, which can be combined with Trojan attacks.

9. Very Creative Social EngineeringSuspects entered the business, selected merchandise worth almost $8,000. They handed a credit card with no financial backing to the clerk which when swiped was rejected by the cash register's computer. The suspects then informed the clerk that this rejection was expected and to contact the credit card company by phone to receive a payment approval confirmation code. The clerk was then given a number to call which was answered by another person in the scam who approved the purchase and gave a bogus confirmation number. The suspects then left the store with the unpaid merchandise .

10. Creative Social EngineeringGoogle Calendar phishing attacks - Google Calendar phishing uses event invitations to Calendar users asking them to “Verify Your Account” or face account deletion. Victims of this phish are asked to accept the invitation and confirm their user name, password and date of birth, in their acceptance Malware - hijacks the victim’s browser and directs them to a fake site masquerading as AVG – a Antivirus and antispyware protection vendor.

11. Making Security PersonalMore Social Engineering techniques:Skimming - thieves create an electronic device which they attach to a card reader such as an ATM. Pocket skimmers often used in restaurant settings.USB drop – hackers drop USB thumb drives with rootkits that instantly and secretly installs software (HACKSAW) that watches logins, email keystrokes and steals documentsFake wireless - Laptops will connect to "Any available network". Bogus hotspots will pass network traffic to internet and watch your activity. If file and printer sharing is enabled your files can be exposed. Mail and any purchases recorded.

12. Physical Access ControlsFacilities is restricted using physical access controlsAllaccess to facilities requires visual identificationAll employees are issued a photo security badge. The badge should be visible at all times Employees who don't have their badge when they come to work are required to obtain a temporary access badge. Lost or stolen badges should be reported immediately

13. Physical Access ControlsEmployees are expected to ask those who don't have a proper security badge to sign in at reception. Every Employee must swipe their access card when entering secured access doors. The door must completely close between each person in order to provide a complete access log. Piggy backing behind another employee is not permitted. Attempts to access facilities without visual identification should be reported to Security

14. Bypassing Physical Access ControlsPhysical access controls should never be bypassed.NeverEver

15. Information Access ControlsLogical, physical and procedural controls have been put in place to protect information assetsAccess to information resources are based on business needYou will only have the access level needed to perform your job (read, change, etc)Access to information resources is trackedDon't attempt to access data you have no need to access

16. Bypassing Information Access ControlsInformation access controls should never be bypassed.Access is logged

17. Protecting Against Malicious SoftwareUse common sense and due care to protect your desktop the companies systems and the network from malicious code Be vigilant with email and email attachments Don't disable anti-virus software or attempt to change the AV configuration settings Don't bypass security controls and allow malicious code to enter the network

18. Protecting Against Malicious Software Be careful downloading Internet Explorer ActiveX Controls or web applets Be careful downloading and installing applications from the internet (including freeware and shareware) Don't download content from the Internet (MP3s, AVIs, MP4s, all audio and video content) Never consent to trust all software from a provider when prompted

19. Creating a Strong PasswordA secure computer has strong passwords for all user accounts Hello2U! is a relatively weak password H!elZl2o is a strong password Use the extended ASCII character set, e.g. Tf©$0p#»g¤5ªhcWindows passwords can be up to 127 characters long.Use the first letter of each word from a line in a book, song, or poem: Bad Boys, Bad Boys Who you gonna call ruffly translated into BBbbWhoUgc?2Use numbers and letters to create an imaginary vanity license plate password like iLove2Fly<->

20. Creating a Strong PasswordPasswords need to have upper and lower case alpha charactersPasswords need to have at least 1 numeric or special character (!, @, #, etc.)Passwords need to be a minimum of 7 characters longShouldn’t re-use passwords (previous 5 passwords)Passwords shouldn’t contain the same character next to each otherPasswords need to be changed every 90 days (45 for administrators)Passwords shouldn’t contain your user name or the user’s full nameDon’t base password on information such as user name, DOB, SSN, phone number, PIN, etc.

21. Securing Your WorkstationAlways “lock” workstation when leaving it unattended with Ctrl-Alt-Del and then Lock Computer Always log off or shut down workstation when leaving work Use a password protected screen saver from the list of available screen savers on your system (don't download and install screensavers)When traveling always secure an unattended laptop with a cable lock to attach it to a heavy chair, table, or desk .Use a screen guard to prevent people from peeking over your shoulder as you work on sensitive information in a public place

22. Securing your Laptop Don't store sensitive information on laptops If confidential information must be stored on laptop, use disk encryption Don't leave laptop in your carShould only be in car when transporting it to/from work, to/from other place it will be used for business

23. Theft is major concern Don’t be a target.While commuting, don't leave laptop in plain site in the car.

24. Lock laptop in trunk of car if necessary

25. Always take your laptop on the plane rather then checking it with your luggage Securing Your Laptop These features could be used to access your system without you being aware of it.Wireless networking BluetoothInfra Red (IR)

26. Securing Your LaptopWireless networking Be on the lookout for fraudulent hotspots (free wireless) where data thieves mimic a valid wireless source.Verify hotspot with local coffee shop, hotel or airportNever automatically connect to available wireless sources.Always update your operating system with when critical patch notifications are issued

27. Securing Your Laptop Bluetooth is a radio communications technology allowing computers to communicate with other devices over a short range Disable Bluetooth device when not in use. Bluetooth should be “hidden” or "not discoverable“ mode when in usePassword protect if available

28. Securing Your LaptopInfraredInfrared ports can be used to connect to two computers together. This may enable another computer to then browse your hard disc and access data

29. Protect Yourself from FraudDo not write PIN on your debit cardProtect access to your PIN, cover your hand to protect against video and skimmingLimit amount in debit accountHave alternative access to funds and credit in case your account is frozen do to fraud.Signup for purchase notification if available, e.g. Discover has alert on purchases over X amount.Use Paypal/eBay pin security deviceEmail and restaurants number one attack vectors for electronic theft.

30. Privacy on FacebookFebruary 12, 2009 – 6:25 AM This is an excellent article that lists 10 ways to protect your privacy on Facebook. Read the article for the full details, but here’s a quick summary:Use Your Friend Lists Remove Yourself From Facebook Search Results Remove Yourself From Google Avoid the Infamous Photo/Video Tag Mistake Protect Your Albums Prevent Stories From Showing Up in Your Friends’ News Feeds Protect Against Published Application Stories Make Your Contact Information Private Avoid Embarrassing Wall Posts Keep Your Friendships Private Good advice for all Facebook users.