in the digital world we trust insecure data from unauthenticated sources. what?!?
TRANSCRIPT
Minimum Cyber-Security Requirements: What You Need To Know
What is Information Security and Why Do We Need It?
In the digital world we trust insecure data from unauthenticated sources.
WHAT?!?
Why do we need information security
Definitions First◦ Data – electronically stored information *
◦ Authenticated vs. Unauthenticated – Do you know who or what they are? Are you sure?
◦ Firewall – a security system that uses hardware and/or software mechanisms to prevent unauthorized users from accessing an organization’s internal computer network.
◦ Malicious Software – software used or programmed by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. This Includes spyware, adware, viruses and general malware.
◦ Software Patches – software that correct a problem.
Lets break that down a bit
In the digital world we trust insecure data from unauthenticated sources.
Aren’t Computers Protecting Us?
Requests http://www.tdbank.com
Server Returns TDBank Homepage
User Submits Logon Information
Server Account Information
Requests
http://www.tdbank.com
Serv
er R
etur
ns T
DBank
Homep
age
User Submits Logon
Information
Reque
sts
http
://www.td
bank
.comHacker Returns TDBank
Homepage
Hacke
r Sub
mits
Log
on
Info
rmat
ion
Hacker Returns Error Page
Political Espionage Retaliation Internal Threats Just Because I Can Financial Gain
This will never happen to me….
Still don’t believe me?
Still don’t believe me?
Still don’t believe me?
Good Policy Best of Breed Technology Solutions Staff and End User Education
So what do we do?
What everyone should do!Make sure computers used to do bank transactions are not used for any other
Internet work – like email or browsing.
Best Practices for a Cyber Security Policy
Establish an IT Cyber Security Policy Put someone in charge to develop and implement plans and
policies Develop a cyber security plan (many examples can be found
online) Promote and increase the awareness and training of cyber
security and user understanding of risks and risk behavior Communicate the responsibilities for the organization and
individual users’ protection of information; ◦ Be aware of regulations regarding the protection of information.
Establish communication procedures ◦ Everyone needs top knows what, how and to whom to report a
cyber security incident or problem.
The plan should also… Identify threats, vulnerabilities and consequences and take
appropriate action to mitigate and prevent them;◦ Includes password policies (strength and updating)
Prepare for the inevitable – COOP and COG: Continuity of Operations and Continuity of Government ◦ Disaster recovery, including protecting the availability and recoverability
of the organization’s information services and missions Ensure a hardware and software asset inventory is
maintained
An unprotected computer is one that does not:(or What all your computers need to do) …Have antivirus or spyware protection software
installed and updated regularly …Have installed hardware or software firewall to
manage communications between and among networks
…Require the user to authenticate (using a password or a token) when logging on
…Have operating system and software patches installed and regularly updated
POLL QUESTION!
How to Protect your Computing Environment
Protect Your Border Use a strong firewall What is a firewall? A system (software or hardware or
both) designed to prevent unauthorized access to or from a private network.◦ US Border Patrol = Firewall
Gateway - something that serves as an entrance or a means of access. ◦ US Customs Border Crossing = Gateway
What Comes Through the Border? Email Websites File transfers DATA!!! Is it good or bad data?
Is the Data OK? Emails are scanned in the same way our border patrol
looks at suspicious vehicles or people doing not normal things (i.e., profiling)
Viruses have signatures that behave in certain matters. Variants – little changes that behave a little differently but overall have the same profile.
Is the Data OK? Spam is the scanned much the same way a virus is
detected: Behavior Behavior could be an attachment type of file; i.e., zip,
exe, or bat file. Words or suspicious and known URL links that appear
in an email. This is possible why a good email is flagged bad
because of possible suspicious behavior.
Where is Your Protection? Cloud protection
◦ First goes into 3rd party system, is scanned then forwarded to your system
Software gateway scanning – harder to manage but effective and easy control
Hardware Devices – Barracuda, Watchguard, Sonic Wall. etc. – can be costly but some work with cloud to continue updates.
You are Always the Last Line of Defense Other analogy of data request
◦ Web request = ordering a package from outside US.◦ Goes through okay undetected…..(may still contain a virus)◦ Delivery comes your house (equivalent to your PC)◦ Houses have security systems, computers have them to:
referred to “endpoint security.” Even though a package is delivered, it gets scanned again at delivery.
Is Any of this 100% None of the security systems are 100% perfect since
threats are always evolving If you say it’s okay to release, if it’s okay to come
through, it still may not be safe Behavior on types of viruses and intrusion are the
cornerstone on stopping DDOS, bank theft, and multiple variant viruses such as key loggers
Keep updated and do what is updated the most easily for simple distribution in your environment
QUIZ TIME
End User Education – The Best Defense
STOP & THINK! Always be suspicious – look for red flags
◦ If a stranger came to your door and informs you he is from your bank and would like to verify a few items with you and proceeds to ask you your name, social security number and date of birth what would you do?
Why is an email any different?
For example: You receive an email at work from a bank that you do
not do business with asking for you to click on the attachment to verify information.
9 out of 10 times you will click on the link, thinking it’s work related. ◦ How is this different than someone showing up at your door?
Don’t Assume that an Attachment is Safe
Did you look up contact information to verify that this is a legitimate bank?
Inspect the link in the email to see if it looks real or fake.
Did you call the bank to see if they sent the email out? Did you seek help from your technology staff? Is this necessary?
◦ YES! Better to be safe than loose all your data, or worse yet comprise your entire networks data
Don’t Assume that a Link in an Email or Website is Safe! Don’t click on links from inside emails In all cases involving security or banking information:
◦ Look for web addresses with “https://” or “shttp://”, the “s” means the site takes extra measures to help secure your information.
◦ “http://” is not secure. Only go to trusted websites
◦ Make sure the site is legitimate: Before entering any information look for signs that the site is secure.
◦ Look for a closed padlock on your web browser’s address bar ◦ Never use unsecured wireless networks to make an online purchase
Protect your $$: ◦ When banking and shopping, check to be sure the sites is security
enabled.
It Isn’t Just a Mouse Click Attackers may attempt to gather information by
sending emails requesting that you confirm purchase or account information.
Legitimate businesses will not solicit this type of information through email. Contact the merchant directly if you are alerted to a problem.
Use contact information found on your account statement, not in the email.
You Must Outsmart the Attackers How?
◦ By stopping and thinking before you click◦ Ensure your computer has antivirus software and it is up to
date. Reminder to renew your antivirus when it is expired◦ Verify your anti virus is running and doing scans. Check the
logs after a scan.◦ Verifying that an email was sent with an attachment by the
sender Train your technical staff; train your users Make sure your contractors meet these standards
You Must Outsmart the Attackers Use strong passwords, do not use names, date of
births, etc. If you’re in doubt, then don’t click on it Turn your computer off or lock it when not in use Keep your operating system updates up to date Don’t go to untrusted sites Scan your computers for spyware or malware weekly
www.njgmis.org www.gmis.org www.cisecurity.org www.stopthinkconnect.org msisac.cisecurity.org msisac.cisecurity.org/resources/toolkit/oct13/
index.cfm
Some Resources
Articles based on an extended version of this presentation will be in upcoming issues
of New Jersey Municipalities Magazine.
Contact Us(732) 734-1805www.njgmis.org
GMIS-NJis the League’s Official Technology
Management Support Organization
CGCIO Program at Rutgers:http://spaa.newark.rutgers.edu/cgcio
GMIS-NJ’s AnnualTechnologyEducation
ConferenceMarch 27th 2014
“The Palace” in Somerset (Franklin Township)Registration information at:
www.njgmis.org/[email protected]
Justin HeymanCertified Government CIODirector of Information TechnologyTownship of Franklin, [email protected]
Todd CostelloDirector of MISTownship of Middletown, [email protected]
Contact InformationMarc PfeifferPfeifferGov, [email protected]
Robert McQueenCertified Government CIOChief Information OfficerPrinceton, [email protected]