providing information peace of mind ® to business and the ... · •weak password habits •poor...

Pasadena Cyber Security RoundtableInformation Security Awareness

March 2017

© Copyright 2017. Citadel Information Group. All Rights Reserved.

Providing Information Peace of Mind ® to Business and the Not-for-Profit Community

Kimberly Pease, CISSP

25 Years, Information Security,

Information Technology

Co-founder and Vice President

Citadel Information Group, Inc.

Certifications:

CISSP

Six Sigma Black Belt

Information Systems Security

Association

Los Angeles Chapter, ISSA-LA (Since 2002)

Interviews with the MediaGood Morning America

NBC News

Instructor

2© Copyright 2017. Citadel Information Group. All Rights Reserved.

Why a Business Needs Information Security Awareness Training

3© Copyright 2017. Citadel Information Group. All Rights Reserved.

1. Most are unaware

2. Laws and regulations

3. Compliance and contracts

4. Incident Response – what to do?

5. Threats and vulnerabilities have changed

6. Management is committed and wants to change culture

and provide guidance to staff

7. Address the myths surrounding “It is a technical problem

and IT’s job.”

8. Other?

Excerpts from Citadel’s Information Security Awareness Training

4© Copyright 2017. Citadel Information Group. All Rights Reserved.

Information Security Matters … And YOU Are the First Line of Defense

5© Copyright 2017. Citadel Information Group. All Rights Reserved.

6

The Business Needs Your Commitment

• Understand that the business’ information has value to cyber criminals

• Understand that the business is under attack by cyber criminals

• Understand the consequences to you and the business, if we fail to protect our sensitive information

• Commit to doing your part to protect the business’ information

7© Copyright 2017. Citadel Information Group. All Rights Reserved.

Cybercrime’s Greatest Impact is on Small & Medium Sized Organizations

•30% of victims have fewer than 250 employees

•60% of small-business victims are out of business within 6 months

•80% of these breaches preventable

8

What Do CyberCriminals Want: $$$$$

• Steal Information• Social Security Numbers• Credit Numbers• Bank Account Numbers• Health Information• Sales / Donor Lists• Login Credentials• Trade Secrets• Intellectual Property

• Deny you the ability to use your own information

• Ransomware

• Use Your Computer• Attack other victims

• Botnet• DDoS

• Storage• stolen software• stolen movies• child porn

9© Copyright 2017. Citadel Information Group. All Rights Reserved.

10

What are they after?

© Copyright 2017. Citadel Information Group. All Rights Reserved.

11

Information = $$$

© Copyright 2017. Citadel Information Group. All Rights Reserved.

What Does This Have to Do With You?

• You Have What They Want

• You are a Target

• You are Their Way In

• It Only Takes One!

12© Copyright 2017. Citadel Information Group. All Rights Reserved.

Understand the threat and impact to you and the business

13© Copyright 2017. Citadel Information Group. All Rights Reserved.

Not just the lone hacker anymore

14© Copyright 2016. Citadel Information Group. All Rights Reserved.

Who are these guys?

15© Copyright 2017. Citadel Information Group. All Rights Reserved.

Think of all the places information is stored

© Copyright 2017. Citadel Information Group. All Rights Reserved.14

Not all information is created equal

17

Confidential

Restricted

Public

Information

classification is

usually determined

by the impact it has

to the business if its

disclosed

© Copyright 2017. Citadel Information Group. All Rights Reserved.

Laws and Regulations: Compliance

18© Copyright 2017. Citadel Information Group. All Rights Reserved.

PCI Compliance

• PCI = Payment Card Industry Data Security Standard

• PCI compliance requires a high level of security

19© Copyright 2017. Citadel Information Group. All Rights Reserved.

HIPAA Compliance

• HIPAA = Health Insurance Portability and Accountability Act and requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy and security of protected health information.

• HIPAA compliance requires a high level of security

• CE (covered entities) and BA (business associates) are now liable

20© Copyright 2017. Citadel Information Group. All Rights Reserved.

People, though, continue to create the greatest risks.

People are our weakest link when it comes to information security.

When they practice insecure behaviors, they are our greatest vulnerability.

21

People are our greatest asset

© Copyright 2017. Citadel Information Group. All Rights Reserved.

22

Cybercriminals know you aren’t paying attention

• Cybercriminals study behaviors of employees

• They use you to get around security defenses

• They make you an unwitting accomplice to allow them to steal

information

• All they need is just one vulnerable careless person

• One behavior can cost thousands and even millions of dollars to a

company

© Copyright 2017. Citadel Information Group. All Rights Reserved.

Poor security habits = business risk

• Weak password habits

• Poor email habits

• Poor workplace security habits

• Poor judgment habits

• Workarounds

• Careless behavior

• Poor judge of risk

• All of these are known to the hackers and cybercriminals

23© Copyright 2017. Citadel Information Group. All Rights Reserved.

Social Engineering

24© Copyright 2017. Citadel Information Group. All Rights Reserved.

25

Most Common Types of Social Engineering Attacks

Phishing

Casting a wide net

Smishing

Texting

Vishing

Voice

Spear Phishing

Targeting a specific fish

© Copyright 2017. Citadel Information Group. All Rights Reserved.

Components of a Phishing Email

26

Hello,

As part of our security measures, we regularly screen activity in the system.

We recently contacted you after noticing an issue on your account. A system detected unusual

information on your account.

Please follow the link bellow.

www.linktobadwebsite.com

If you don’t follow the link, your account will be blocked.

Regards,

The IT Department

Asserts authority

Raises concern

Provides links or

attachments

Contain threats

or urgency

Typos

Generic greeting

From a familiar

company or

person

© Copyright 2017. Citadel Information Group. All Rights Reserved.

28© Copyright 2017. Citadel Information Group. All Rights Reserved.

http://www.citibank.

com.us.welcome.c.tr

ack.bridge.metrics.p

ortal.jps.signon.onlin

e.sessionid.ssl.secur

e.gkkvnxs62qufdtl83l

dz.udaql9ime4bn1si

act3f.uwu2e4phxrm3

1jymlgaz.9rjfkbl26xnj

skxltu5o.aq7tr61oy0

cmbi0snacj.4yqvgfy5

geuuxeefcoe7.paroq

uiansdores.org/

Users Unwittingly Open the Door to Cybercrime

29

Ransomware = Data kidnapping

• Type of malware

• Email ransom note containing demands

• Prevents or limits access to a system or device

• Locks systems screen or encrypts files

• Forces users to pay the ransom through certain online

payment methods to get a decrypt key

• Never any guarantee the data will be returned

31

Ransomware infections using names of various authorities

32

Ransomware that locks up workstations and encrypts users'

files

33© Copyright 2017. Citadel Information Group. All Rights Reserved.

Spear Phishing

* NOTE: This e-mail originated from an IP address in Aubervilliers, France

Social Engineering Do’s and Don’ts

34

Ask yourself: is it unsolicited and unexpected?

Look for grammatical errors or typos

Pay attention to the greeting

Be wary of attachments

Don’t click on links

Get rid of the email or forward to IT

Never provide passwords

Never provide confidential information without positive verification

Listen to your gut

© Copyright 2017. Citadel Information Group. All Rights Reserved.

Keep Computer Programs Patched and Updated

35© Copyright 2017. Citadel Information Group. All Rights Reserved.

How Secure Is Your Password?

36© Copyright 2017. Citadel Information Group. All Rights Reserved.

Choosing a Strong Password

• Must contain between 8 – 12 characters

• Must contain at least one character from each of the following four categories

• Numbers• 1, 2, 3, 4, …

• Lowercase letters• a, b, c, d, …

• Uppercase letters• A, B, C, D, …

• Special characters• !, @, #, $, …

37© Copyright 2017. Citadel Information Group. All Rights Reserved.

Passwords: Things to Avoid

• Should not be just words from the dictionary, ANY dictionary, i.e. English, French, Russian, etc.

• Should not be something of personal significance

• Pet/spouse/child’s name

• Phone number

• Birthday / Anniversary

• Anything on Social media sites, Facebook, etc.

• Anything associated with the business

• Avoid simple transformations

• Reversing the spelling

• Avoid just changing the last two characters ,

• MyPasswordIs01, MyPasswordIs02, MyPasswordIs03,

38© Copyright 2017. Citadel Information Group. All Rights Reserved.

Safe Password Practices

• Change regularly

• Keep your passwords private

• If you must write down your passwords, keep them safe

39© Copyright 2017. Citadel Information Group. All Rights Reserved.

Tips to Remember Your Password

• Punctuate passwords with numbers and special characters.

• Prada9forthewin!

• 1cat2many!!

• My*space*4*life

• Create a password around a sentence that has meaning for you

• EdIeic4l! = Every day I eat ice cream for lunch!

• Mdi@s2dr? = My daughter is at school today, right?

• Passphrases

• Go2seeTheWizard%

• IronMan!StheM0^132c

• Random Keyboard patterns

• Bgt%678uhb

• mJU&^%432

40© Copyright 2017. Citadel Information Group. All Rights Reserved.

41© Copyright 2016. Citadel Information Group. All Rights Reserved.

Other things may be downloaded

42© Copyright 2016. Citadel Information Group. All Rights Reserved.

Topics we haven’t covered

• Personal email accounts, i.e. Gmail, Yahoo

• Remote access

• Wireless

• Piggybacking

• Physical security

• Sharing of passwords and logins

• Encryption

• The cloud

• BYOD

• Social Network

• Protecting paper

• Phishing• Vishing• Smishing

• Scareware

• Business Email Compromise (BEC)

• Workplace Security

• Workstation

• What to do if something is wrong

43© Copyright 2017. Citadel Information Group. All Rights Reserved.

Everyone is Responsible for Protecting Sensitive Information

44© Copyright 2017. Citadel Information Group. All Rights Reserved.

Pasadena Cyber Security RoundtableInformation Security Awareness

March 2017

© Copyright 2017. Citadel Information Group. All Rights Reserved.

Providing Information Peace of Mind ® to Business and the Not-for-Profit Community