it security awareness - white paper (tech a thon)

IT Security Awareness – Tech-a-Thon.

Author-Ipsita Biswal, Date-25/11/2016

2Copyright © Capgemini 2015. All Rights Reserved

Presentation Title | Date

Why IT Security Awareness?

IT Security is a field of computer science concerned with the control of risks related to computer and its information usage.

The purpose of periodic security awareness training is to develop essential competencies, new techniques and methods that are so essential in facing possible security issues.



The importance of security awareness

There is a good chance you will read about a new hack, phishing attack or other type of security incident.

It can provide some level of maturity in incident response and help protect corporate resources; by adopting an Security Awareness Training Program, a company greatly increases its security-related risk posture.

To do so, you need to take both technical and human aspects into account. Especially the latter should not be forgotten, as reality shows us humans are often the weakest link in protecting information.

Losing sensitive or personal data can happen any moment of inattention. To prevent this, you need to transform your employees from the weakest link into the first line of defense.



Purpose of IT Security Awareness

Awareness programs provide a great way to educate personnel and keep the company’s IT security policy fresh in their minds.

The idea behind a campaign is to motivate people to take information security seriously and respond accordingly.

It Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization.

Many organizations require formal security awareness training for all workers when they join the organization and periodically thereafter, usually annually.



Conveying the Idea

Here is a problem Your employees Common coding mistakes Unauthorized machines Ancient "rock solid" servers Legacy applications Local admins Incorrect share/file permissions Hidden servers within applications VPN clients Disabled security software

Here is my idea Best Practices and Class-room trainings. Self-paced trainings Include posters, newsletters, email tips, blogs and reminders,. Focus on changing behaviors. Relate cyber awareness to personal life, family and home. Solicit end user ideas, encourage feedback, measure success and growth of program.

I wish I knew how to solve that!

I see how that works!



Structure

Abstract (5-10 sentences) Introduction (1 page or ~600 words) - Describe a problem (example) + Show it is useful

problem + unsolved problem The Problem (1 page) – Background and detailed problem description My Idea (2 pages) – Here is how I plan to solve it (my contribution) The Details (5 pages) – My results, defense of my idea Related Work (2 pages) – Here is my idea compared to others Conclusions and Further Work (0.5 pages) – This is why you should care References (no page limit)



Abstract

One of the greatest threats to information security could actually come from within your company or organization. Inside ‘attacks’ have been noted to be some of the most dangerous since these people are already quite familiar with the infrastructure. It is not always disgruntled workers and corporate spies who are a threat. Often, it is the non-malicious, uninformed employee The focus will be on uninformed users who can do harm to your network by visiting websites infected with malware, responding to phishing e-mails, storing their login information in an unsecured location, or even giving out sensitive information over the phone when exposed to social engineering.

One of the best ways to make sure company employees will not make costly errors in regard to information security is to institute company-wide security-awareness training initiatives that include, but are not limited to classroom style training sessions, security awareness website(s), helpful hints via e-mail, or even posters. These methods can help ensure employees have a solid understanding of company security policy, procedure and best practices.



Introduction

Describe the problem The internet allows an attacker to attack from anywhere on the planet.

Risks caused by poor security knowledge and practice: Identity Theft Monetary Theft Legal Ramifications (for yourself and companies) Termination if company policies are not followed

According to www.SANS.org , the top vulnerabilities available for a cyber criminal are: Web Browser IM Clients Web Applications Excessive User Right

State your contribution Importance of strong passwords and password controls Secure e-mail practices Secure practices for

working remotely Avoiding malicious software – viruses, spyware, adware, etc. Secure browsing practices Mobile device security including BYOD Secure use of social media

NOT: “The rest of this paper is structured as follows. Section 2 introduces the problem. Section 3...Finally, Section 8 concludes”



The Problem

Concentrate single-mindedly on a narrative that: Loss of Vital Information and inability to function. Loss of professionalism in the eyes of customer. Loss of confidential customer Information. On the way, cite relevant work in passing, but defer discussion to the end:



The Payload of your Paper

A security hacker is someone who seeks to breach defenses and exploit weaknesses in a computer system or network Hackers may be motivated by a multitude of reasons, such as profit, protest, challenge, recreation, or to evaluate system weaknesses to assist in formulating defenses against potential hacker.



Conveying the Idea

Classroom-Style: Training Utilizing a classroom setting for security-awareness training can offer the benefit of lecture-based and interactive learning as well as the availability of someone to answer questions in real time.

Security Awareness Website: Another way of implementing a security awareness program is through the creation of a security awareness website. This website could consist of different sections with the different areas that need to be covered (e.g. Malware, hoaxes, file sharing and copyright, etc.)Another implementation of the security awareness website could be a self-paced tutorial where users can log in and go through it, taking mini quizzes at the end of each section to make sure the material is actually being read and absorbed. Utilizing logins can also be a means of keeping track of who has (and more importantly who has not) taken the training.

Helpful Hints: Utilizing helpful hints and tips is more of a supplement to the training, be it via classroom style or online, and should not be used as a means of security awareness training on its own.

Desktop Security: The desktop security section should go into detail as to why it is important to either have a password-protected screen saver or, even better, to get into the habit of locking computers when users walk away from them. A screensaver timeout should be utilized so if a user walks away from their computer, the password-protected screensaver would come up.

Password Security: The password security section should include what constitutes a strong, secure password or passphrase, with an emphasis on passphrases since they are harder to guess and to crack.



Evidence of Threats



Writing IT Security Awareness



Safe and Secure User Practices



Anti-Virus & Anti-Spyware



Firewall: Why?

It is necessary to have software firewalls on each computer even if you have a hardware firewall protecting your network. If your hardware firewall is compromised by a hacker or by malicious code of some kind, you don’t want the intruder or malicious program to have unlimited access to your computers and the information on those computers. Every computer in the network should have its own software firewall enabled, the Microsoft operating system has an built-in firewall, which can be easily located in the control panel. For other commercial operating system, the operations manual should have instructions about the firewall options. For an added layer of security, commercial firewall software can be installed.



Protect your Operating System



Password Recommendations

EXAMPLE A:Title: GroundbreakingTechWidget by XYZCompany Solves TimeManagement Dilemma!

Opening Sentence: XYZCompany has done it again;another great TechWidgetinvention can help youovercome time management

challenges.



Avoid Social Engineering & Malicious Software

Email Attachments1. Attachments should be opened only from trusted senders.2. If you are not expecting an email attachment from the sender, it’s a good idea to call and confirm, before

opening the attachment.3. Spam email often asks for sensitive information.

Links in emails1. Never click on link in email attachment, except only when you are expecting it.2. If you are not expecting an email link from the sender, it’s a good idea to call and confirm, before clicking

the email link.3. If you hover the cursor over an email’s web link description, the link should be displayed on the bottom of

the browser. Make sure both of them match.

Trustworthy Web Pages1. Software download should be done only from trusted websites like Microsoft for Windows updates and

Office application updates.2. Avoid downloading and using freeware or shareware, since most of them either don’t come with technical

support or full functionality.



Finally…

These are best practices involving Information Security. Most of these practices are from the National Institute of Standards and Technology.

Use these practices at home and at work to keep safe and secure. Employers have policies and procedures regarding secure practices. Be sure to understand

them and adhere to them. It will protect you, your employer and your customers.

No security measure is 100% What information is important to you? Is your back-up: Recent Off-site & secure ? Process Documented ? Tested ? Encrypted?

Recent?Off-site & Secure?

Process Documented?Tested?

Encrypted?

Recent?Off-site & Secure?

Process Documented?Tested?

Encrypted?



Conclusions

In conclusion, security awareness training, if implemented correctly, is an important necessity for any organization. If the user base is properly informed as to what to watch for, prevention, and remediation procedures, this alone could prevent a lot of potential problems that could affect the infrastructure and the company as a whole. Often it is just awareness that is the key to prevention and protection. “Employees can and should be the last line of defense.” Security awareness training can pay off by training users on what they can do to prevent malicious activity and what to do in the event of such activity. Of course security awareness training is not the be-all-end-all, it is a significant layer of security to add to existing security measures.



Summary

1. A pop-up blocker should be installed (many browsers have them as add-ons), but they do not always block all pop-ups

2. Do not respond to pop ups while working online. For example, a malicious pop up message may say that you have a virus on the system. Close it by clicking on X in the upper right corner. If you click OK, it might install spyware or other malicious code.’

3. Infected USB drives are often left unattended by hackers in public places. They intend for unsuspecting people to take the USB home or to the office and unknowingly install the worm or malicious code.



References

SC Magazine UK - Top 10 issues in IT security http://www.scmagazineuk.com/top-10-issues-in-it-security-for-2014/article/326564/

User Security Awareness. https://securingthehuman.sans.org/blog/2011/01/12/top-ten-security-awareness-topics-roundup

Ten Recommendations for Security Awareness Programs http://www.govtech.com/blogs/lohrmann-on-cybersecurity/Ten-Recommendations-for-Security-Awareness-Programs.html

10 security problems you might not realize you have - It's easy to get distracted by high profile security threats and let more subtle -- but equally destructive -- risks fall through the cracks. http://www.techrepublic.com/blog/10-things/10-security-problems-you-might-not-realize-you-have/

The Importance of Security Awareness Training https://www.linkedin.com/pulse/importance-security-awareness-training-enterprise-james-fisher

The PCI Security Standards Council https://www.pcisecuritystandards.org/

Six new topics included in the Security Awareness Library https://www.beonedevelopment.com/2016/07/08/security-awareness-library/

Information Security awareness: Local Government and Internet Service Providers http://docplayer.net/8526221-Information-security-awareness-local-government-and-internet-service-providers.html



Thank You

www.capgemini.com

The information contained in this presentation is proprietary.© 2015 Capgemini. All rights reserved. Rightshore® is a trademark belonging to Capgemini.

About CapgeminiWith 180,000 people in over 40 countries, Capgemini is one of the world's foremost providers of consulting, technology and outsourcing services. The Group reported 2014 global revenues of EUR 10.573 billion.

Together with its clients, Capgemini creates and delivers business, technology and digital solutions that fit their needs, enabling them to achieve innovation and competitiveness.

A deeply multicultural organization, Capgemini has developed its own way of working, the Collaborative Business ExperienceTM, and draws on Rightshore®, its worldwide delivery model.

http://www.facebook.com/Capgemini

http://www.linkedin.com/company/capgemini

http://www.twitter.com/capgemini

http://www.youtube.com/capgeminimedia

http://www.slideshare.net/capgemini

it security awareness - white paper (tech a thon)

Documents