providing information peace of mind ® to business and the ... · •weak password habits •poor...
Post on 24-May-2020
2 Views
Preview:
TRANSCRIPT
Pasadena Cyber Security RoundtableInformation Security Awareness
March 2017
© Copyright 2017. Citadel Information Group. All Rights Reserved.
Providing Information Peace of Mind ® to Business and the Not-for-Profit Community
Kimberly Pease, CISSP
25 Years, Information Security,
Information Technology
Co-founder and Vice President
Citadel Information Group, Inc.
Certifications:
CISSP
Six Sigma Black Belt
Information Systems Security
Association
Los Angeles Chapter, ISSA-LA (Since 2002)
Interviews with the MediaGood Morning America
NBC News
Instructor
2© Copyright 2017. Citadel Information Group. All Rights Reserved.
Why a Business Needs Information Security Awareness Training
3© Copyright 2017. Citadel Information Group. All Rights Reserved.
1. Most are unaware
2. Laws and regulations
3. Compliance and contracts
4. Incident Response – what to do?
5. Threats and vulnerabilities have changed
6. Management is committed and wants to change culture
and provide guidance to staff
7. Address the myths surrounding “It is a technical problem
and IT’s job.”
8. Other?
Excerpts from Citadel’s Information Security Awareness Training
4© Copyright 2017. Citadel Information Group. All Rights Reserved.
Information Security Matters … And YOU Are the First Line of Defense
5© Copyright 2017. Citadel Information Group. All Rights Reserved.
6
The Business Needs Your Commitment
• Understand that the business’ information has value to cyber criminals
• Understand that the business is under attack by cyber criminals
• Understand the consequences to you and the business, if we fail to protect our sensitive information
• Commit to doing your part to protect the business’ information
7© Copyright 2017. Citadel Information Group. All Rights Reserved.
Cybercrime’s Greatest Impact is on Small & Medium Sized Organizations
•30% of victims have fewer than 250 employees
•60% of small-business victims are out of business within 6 months
•80% of these breaches preventable
8
What Do CyberCriminals Want: $$$$$
• Steal Information• Social Security Numbers• Credit Numbers• Bank Account Numbers• Health Information• Sales / Donor Lists• Login Credentials• Trade Secrets• Intellectual Property
• Deny you the ability to use your own information
• Ransomware
• Use Your Computer• Attack other victims
• Botnet• DDoS
• Storage• stolen software• stolen movies• child porn
9© Copyright 2017. Citadel Information Group. All Rights Reserved.
10
What are they after?
© Copyright 2017. Citadel Information Group. All Rights Reserved.
11
Information = $$$
© Copyright 2017. Citadel Information Group. All Rights Reserved.
What Does This Have to Do With You?
• You Have What They Want
• You are a Target
• You are Their Way In
• It Only Takes One!
12© Copyright 2017. Citadel Information Group. All Rights Reserved.
Understand the threat and impact to you and the business
13© Copyright 2017. Citadel Information Group. All Rights Reserved.
Not just the lone hacker anymore
14© Copyright 2016. Citadel Information Group. All Rights Reserved.
Who are these guys?
15© Copyright 2017. Citadel Information Group. All Rights Reserved.
Think of all the places information is stored
© Copyright 2017. Citadel Information Group. All Rights Reserved.14
Not all information is created equal
17
Confidential
Restricted
Public
Information
classification is
usually determined
by the impact it has
to the business if its
disclosed
© Copyright 2017. Citadel Information Group. All Rights Reserved.
Laws and Regulations: Compliance
18© Copyright 2017. Citadel Information Group. All Rights Reserved.
PCI Compliance
• PCI = Payment Card Industry Data Security Standard
• PCI compliance requires a high level of security
19© Copyright 2017. Citadel Information Group. All Rights Reserved.
HIPAA Compliance
• HIPAA = Health Insurance Portability and Accountability Act and requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy and security of protected health information.
• HIPAA compliance requires a high level of security
• CE (covered entities) and BA (business associates) are now liable
20© Copyright 2017. Citadel Information Group. All Rights Reserved.
People, though, continue to create the greatest risks.
People are our weakest link when it comes to information security.
When they practice insecure behaviors, they are our greatest vulnerability.
21
People are our greatest asset
© Copyright 2017. Citadel Information Group. All Rights Reserved.
22
Cybercriminals know you aren’t paying attention
• Cybercriminals study behaviors of employees
• They use you to get around security defenses
• They make you an unwitting accomplice to allow them to steal
information
• All they need is just one vulnerable careless person
• One behavior can cost thousands and even millions of dollars to a
company
© Copyright 2017. Citadel Information Group. All Rights Reserved.
Poor security habits = business risk
• Weak password habits
• Poor email habits
• Poor workplace security habits
• Poor judgment habits
• Workarounds
• Careless behavior
• Poor judge of risk
• All of these are known to the hackers and cybercriminals
23© Copyright 2017. Citadel Information Group. All Rights Reserved.
Social Engineering
24© Copyright 2017. Citadel Information Group. All Rights Reserved.
25
Most Common Types of Social Engineering Attacks
Phishing
Casting a wide net
Smishing
Texting
Vishing
Voice
Spear Phishing
Targeting a specific fish
© Copyright 2017. Citadel Information Group. All Rights Reserved.
Components of a Phishing Email
26
Hello,
As part of our security measures, we regularly screen activity in the system.
We recently contacted you after noticing an issue on your account. A system detected unusual
information on your account.
Please follow the link bellow.
www.linktobadwebsite.com
If you don’t follow the link, your account will be blocked.
Regards,
The IT Department
Asserts authority
Raises concern
Provides links or
attachments
Contain threats
or urgency
Typos
Generic greeting
From a familiar
company or
person
© Copyright 2017. Citadel Information Group. All Rights Reserved.
28© Copyright 2017. Citadel Information Group. All Rights Reserved.
http://www.citibank.
com.us.welcome.c.tr
ack.bridge.metrics.p
ortal.jps.signon.onlin
e.sessionid.ssl.secur
e.gkkvnxs62qufdtl83l
dz.udaql9ime4bn1si
act3f.uwu2e4phxrm3
1jymlgaz.9rjfkbl26xnj
skxltu5o.aq7tr61oy0
cmbi0snacj.4yqvgfy5
geuuxeefcoe7.paroq
uiansdores.org/
Users Unwittingly Open the Door to Cybercrime
29
Ransomware = Data kidnapping
• Type of malware
• Email ransom note containing demands
• Prevents or limits access to a system or device
• Locks systems screen or encrypts files
• Forces users to pay the ransom through certain online
payment methods to get a decrypt key
• Never any guarantee the data will be returned
31
Ransomware infections using names of various authorities
32
Ransomware that locks up workstations and encrypts users'
files
33© Copyright 2017. Citadel Information Group. All Rights Reserved.
Spear Phishing
* NOTE: This e-mail originated from an IP address in Aubervilliers, France
Social Engineering Do’s and Don’ts
34
Ask yourself: is it unsolicited and unexpected?
Look for grammatical errors or typos
Pay attention to the greeting
Be wary of attachments
Don’t click on links
Get rid of the email or forward to IT
Never provide passwords
Never provide confidential information without positive verification
Listen to your gut
© Copyright 2017. Citadel Information Group. All Rights Reserved.
Keep Computer Programs Patched and Updated
35© Copyright 2017. Citadel Information Group. All Rights Reserved.
How Secure Is Your Password?
36© Copyright 2017. Citadel Information Group. All Rights Reserved.
Choosing a Strong Password
• Must contain between 8 – 12 characters
• Must contain at least one character from each of the following four categories
• Numbers• 1, 2, 3, 4, …
• Lowercase letters• a, b, c, d, …
• Uppercase letters• A, B, C, D, …
• Special characters• !, @, #, $, …
37© Copyright 2017. Citadel Information Group. All Rights Reserved.
Passwords: Things to Avoid
• Should not be just words from the dictionary, ANY dictionary, i.e. English, French, Russian, etc.
• Should not be something of personal significance
• Pet/spouse/child’s name
• Phone number
• Birthday / Anniversary
• Anything on Social media sites, Facebook, etc.
• Anything associated with the business
• Avoid simple transformations
• Reversing the spelling
• Avoid just changing the last two characters ,
• MyPasswordIs01, MyPasswordIs02, MyPasswordIs03,
38© Copyright 2017. Citadel Information Group. All Rights Reserved.
Safe Password Practices
• Change regularly
• Keep your passwords private
• If you must write down your passwords, keep them safe
39© Copyright 2017. Citadel Information Group. All Rights Reserved.
Tips to Remember Your Password
• Punctuate passwords with numbers and special characters.
• Prada9forthewin!
• 1cat2many!!
• My*space*4*life
• Create a password around a sentence that has meaning for you
• EdIeic4l! = Every day I eat ice cream for lunch!
• Mdi@s2dr? = My daughter is at school today, right?
• Passphrases
• Go2seeTheWizard%
• IronMan!StheM0^132c
• Random Keyboard patterns
• Bgt%678uhb
• mJU&^%432
40© Copyright 2017. Citadel Information Group. All Rights Reserved.
41© Copyright 2016. Citadel Information Group. All Rights Reserved.
Other things may be downloaded
42© Copyright 2016. Citadel Information Group. All Rights Reserved.
Topics we haven’t covered
• Personal email accounts, i.e. Gmail, Yahoo
• Remote access
• Wireless
• Piggybacking
• Physical security
• Sharing of passwords and logins
• Encryption
• The cloud
• BYOD
• Social Network
• Protecting paper
• Phishing• Vishing• Smishing
• Scareware
• Business Email Compromise (BEC)
• Workplace Security
• Workstation
• What to do if something is wrong
43© Copyright 2017. Citadel Information Group. All Rights Reserved.
Everyone is Responsible for Protecting Sensitive Information
44© Copyright 2017. Citadel Information Group. All Rights Reserved.
Pasadena Cyber Security RoundtableInformation Security Awareness
March 2017
© Copyright 2017. Citadel Information Group. All Rights Reserved.
Providing Information Peace of Mind ® to Business and the Not-for-Profit Community
top related