The document discusses the importance of security awareness, emphasizing the roles of process, technology, and people in maintaining security. It highlights key security goals such as confidentiality, integrity, and availability, while also addressing issues like phishing, identity theft, and password protection. Recommendations include proper data handling, vigilant online behavior, and employing security measures to protect sensitive information.

1. Security Awareness
Untangled Church Technology Conference
© 2014 JurInnov, Ltd. All Rights Reserved
November 8, 2014
Dr. Eric Vanderburg
Director, Cybersecurity and Information Systems
eav@jurinnov.com
@evanderburg
(216) 664-1100

2. How Security is comprised
90%
© 2014 JurInnov, Ltd. All Rights Reserved 1
Process
Technology
People
10%

3. Things your mother probably told you
• Don’t accept candy from strangers
– Infected devices
• It’s ok to ask questions
– Challenge
• Don’t leave your things lying around
– Clean desk and locked screen
• Be careful who your friends are
– Social networking
• Avoid that area of town
– Discretionary web surfing
© 2014 JurInnov, Ltd. All Rights Reserved 2

4. Security goals
Three Goals
Confidentiality
Ensuring that confidential
university information is
protected from
unauthorized disclosure
Integrity
Ensuring the accuracy and
completeness of
information and computer
software
© 2014 JurInnov, Ltd. All Rights Reserved 3
Availability
Ensuring that information
and vital services are
accessible for use when
required

5. Malware
Detection
Security
software stops
working
Defense
Computer
seems slower
than usual,
unexpected
restarts
Browser takes
you to a
different site
than you
expected
© 2014 JurInnov, Ltd. All Rights Reserved 4
Your hard drive
is full
Antivirus
software with
updates and
regular scanning
Avoid
unsolicited
email and links
Download from
trusted sites
Increased
number of
popup windows
Personal firewall

6. Computer Use
• Secure browsing
• Updates
• Popups and warnings
• Certificate errors
• Suspicious links
• Deleted files are not truly deleted
© 2014 JurInnov, Ltd. All Rights Reserved 5

7. Remove the opportunity
• Location of office equipment
– Printers & fax machines
• Lock it down
– Office doors
– File cabinets, sensitive documents, personal items
– Computers
• Windows OS: Ctrl-Alt-Delete [enter] or Windows L
• Macs: Shift (⇧) + Command (⌘) + Q
• Password-protected screensaver or Time-out
• Don’t leave the computer unattended when logged into an account with
sensitive data (i.e., payroll, email, personal info)
– Phones
© 2014 JurInnov, Ltd. All Rights Reserved 6

8. It’s ok to discriminate against data
• You can’t treat it all the same
– Personal information
– Financial information
– Member information
– Public information
• Where is all the data?
– Head, paper, computer, server, backup, email
• What if we got rid of it?
© 2014 JurInnov, Ltd. All Rights Reserved 7

9. Data Protection
• Accessible only to authorized users
• Physically locked down
• Not out in the open
• Encrypted
• Password protected
© 2014 JurInnov, Ltd. All Rights Reserved 8

10. Encryption
• At rest
© 2014 JurInnov, Ltd. All Rights Reserved 9
– Full disk encryption
– File encryption
• In motion
– VPN
– SSL

11. Phishing
• Email
• Text
• Chat
• Craigslist
• Dating sites
© 2014 JurInnov, Ltd. All Rights Reserved 10

12. Phishing markers
• False Sense Of Urgency - Threatens to "close/suspend your
account”, charge a fee or talks about suspicious logon
attempts, etc.
• Suspicious-Looking Links - Links containing all or part of a
real company's name asking you to submit personal
information.
• Not personalized – does not address you by name or
include a masked version of the account number.
• Misspelled or Poorly Written – Helps fraudulent emails
avoid spam filters
© 2014 JurInnov, Ltd. All Rights Reserved 11

13. Subject: URGENT! Haiti Victims Need Your Help!
Subject: You’ve received a greeting card
© 2014 JurInnov, Ltd. All Rights Reserved 12

14. Protect yourself against phishing
• Treat all email with suspicion
• Never use a link in an email to
get to any web page
• Never send personal or financial
information to any one via email
• Never give personal or financial
information solicited via email
© 2014 JurInnov, Ltd. All Rights Reserved 13

15. Passwords
• Passwords are THE KEYS TO:
– Your bank account
– Your computer
– Your email
– A server on a network
– Many other things
© 2014 JurInnov, Ltd. All Rights Reserved 14

16. Passwords
• Passwords are like underwear
– Change them often
– Showing them to others can get you in trouble
– Don’t leave them lying around
• Use different passwords for different purposes
© 2014 JurInnov, Ltd. All Rights Reserved 15

17. Passwords
• Length
• Complexity
• Passphrase
• http://www.passwordmeter.com/
© 2014 JurInnov, Ltd. All Rights Reserved 16

18. • 2NiteWeparty*likeits1999
• HowdoU”spell”thatAGAIN?
• Amishwish4fish2squish
• OunceI$good#isbetter!
Use a phrase, sentence,
question or random
statement (with a twist)
• Website (time4anewpwagain.com)
• Email (Passwords@stupid.com)
• File (passwords/make/me/crazy)
• Address 4223westmyhouse
Use fake website,
email, file, addresse
• Follow the yellow brick road to OZ = Ftybr2OZ
• Why did the chicken cross the road? = Y?dtCxtR?
• Wildthing = W!ld*7H1ng!
• Red Jello = R3d-j3llo:)
Use a phrase, random
statement or
compound word; then
shorten it and make it
nonsensical
© 2014 JurInnov, Ltd. All Rights Reserved 17

19. Email password theft - indicators
Receive a large
number of rejected
messages
© 2014 JurInnov, Ltd. All Rights Reserved 18
Find messages in
your sent folder that
you know you didn’t
send
Missing email
Unexplained changes
to your account
settings
Spam
Warning
Signs

20. Identity Theft
• Thieves will…
• Go on spending sprees using your
credit card
• With your name and Social Security
number they can:
– open new credit card accounts
– gain employment
• Give your name to the police during an arrest
• Establish wireless service in your name
© 2014 JurInnov, Ltd. All Rights Reserved 19

21. Identity theft – How it happens
• They may steal your mail, wallet,
or purse
• Malware
• Phishing
• Social engineering
– bribing or conning an employee
who has access to these records
• Stealing personnel records or breaking
into your records electronically
© 2014 JurInnov, Ltd. All Rights Reserved 20

22. Social engineering
Social engineering preys on qualities of
human nature:  The desire to
© 2014 JurInnov, Ltd. All Rights Reserved 21
be helpful
 The tendency
to trust people
 The fear of
getting into
trouble

23. Identity Theft - Indicators
• Bills that do not arrive as expected
• Charges on your credit card that are not yours
• Unexpected credit cards or account
statements
• Denials of credit for no apparent reason
• Calls or letters from
– Debt collectors
– Businesses about merchandise or services you did
not make
© 2014 JurInnov, Ltd. All Rights Reserved 22

24. Identity Theft - Defenses
• Limit the number of credit cards you carry
• Keep a list of all credit cards numbers and the
numbers to call to report them
• Shred Information
• Be diligent about checking statements
• Order and analyze your credit report
• Watch for Shoulder Surfing
© 2014 JurInnov, Ltd. All Rights Reserved 23

25. Identity Theft - Response
• Place a "Fraud Alert" on your credit reports
• Close suspect accounts
• Use the FTC’s ID Theft Affidavit
• Keep Documentation about conversations
• File a police report with local Law Enforcement
• Report the theft to FTC
– Online at Ftc.gov/idtheft
– By phone 1-877-ID-THEFT (438-4338)
© 2014 JurInnov, Ltd. All Rights Reserved 24

26. Social Networking (Cont’d)
• Networking sites:
– Used to meet people online, stay in touch with
friends, connect on professional levels
– Use privacy setting on your account to ensure
maximum security
– Be careful about who you accept as a “friend”
– Be careful about the information you provide on
these sites
© 2014 JurInnov, Ltd. All Rights Reserved 25

27. What’s
wrong with
this
picture?
© 2014 JurInnov, Ltd. All Rights Reserved 26

28. Q&A
Don’t be shy…
© 2014 JurInnov, Ltd. All Rights Reserved 27