30%

68805 MK10680(1011) TC64945(1011)National Life Group is a trade name of National Life Insurance Company and its affiliates. For internal use only. Not for use with the public

Don’t be the weak link!

Cyber Security Awareness

About Cyber Security Awareness Month

National Cyber Security Awareness Month (NCSAM) began in October of 2004. It was founded and promoted by the Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) as a means to promote education and awareness about the ever increasing number of online security threats that lurk amongst us.

For more information on NCSAM, visit: http://www.staysafeonline.org

Our Mission

For the last several years, National Life Group has put on a Cyber Security Awareness Fair during the month of October in an effort to raise the awareness level of our employees on online threats and countermeasures. NLGroup’s vision statement is To Bring Peace of Mind to Everyone We Touch. One of the things that we, as employees, can do to commit to this vision is to foster a strong, responsible, security-centric culture in regards to our computer-based infrastructure. Due to the sensitive nature of much of the data we work with, a computer security related incident at NLGroup could be especially devastating. Therefore, everyone should make it their responsibility to do everything in their power to help keep our systems secure.

NLGroup Cyber Security Awareness Fair 2011

The security of a computer network can only be as strong as its weakest link, which can sometimes turn out to be its users. You can engineer your network out of all of the best hardware and software on the market, and implement the most cutting edge security protocols around, but all it may take is one user opening the wrong attachment to send it crumbling down. This year’s theme for our security awareness fair is: “Don’t be the Weak Link”. This theme is meant to emphasize the fact that one of the most vulnerable parts of any network is the user with a low level of security awareness.

This document will summarize several common attacks that target the users on a network and tips on how to avoid them.

Social Engineering

Not all of the threats out there are high-tech, and in fact social engineering has been around long before computers. Social engineering covers a fairly wide area of incidents, but at a basic level it involves using certain techniques while interacting with someone to gather information or achieve some other desired result. These techniques could include all manner of trickery, such as impersonating an authority figure, blackmail, extortion, bribery, or just lying convincingly. Someone could even gain employment with the company and gain the trust of his peers over time! The desired result might be access into a building or secure area, your login credentials, or personal information. With this new information, the criminal can now do all kinds of unsavory things. These types of incidents can be hard to detect, as the perpetrator will most likely have done some research ahead of time to put on a convincing show, whether it is in person, on the phone, or via email.

Consider this scenario: You receive a phone call at work from a man who introduces himself as “Jim Brown, down here in IT...”. He knows your name, and informs you that he is about to install some firmware on your computer remotely, and that you are going to have to turn off your machine for ten minutes while he applies the changes. He goes on to say that unfortunately, the update process reverts your password back to the default password scheme, but if you would like you could give him your current password and user id and he would change it back for you so you didn’t have to put in a ticket with system security.

This phone call would likely seem convincing at face value: the caller knew your name, identified himself, and had a very clear purpose for calling. He also spoke casually, and knew the lingo. If you didn’t know many people in the IT team, it would be fairly easy to be taken in. The only real tip off is the fact that he asked for your login credentials so that he could do you a “favor” and reset your password for you. Many unaware people may give “Jim” their login credentials, and then turn off their computer for ten minutes while he did whatever he wanted to on their account. Imagine trying to explain to your manager why large volumes of sensitive information were emailed to an outside email address from your company email account!

The next page includes tips on how to prevent social engineering from being effective.

Fast Facts: Each of the threats in this document

(and many more!) involves some element of social engineering.

The following tips can help prevent social engineering from being effective:

• NEVER give out personal information or login credentials belonging to you or anyone else to someone you do not know. Verify the legitimacy of such requests (in this case by contacting IT) before releasing any information.

• Ask questions such as why they need the information, who they report to, etc. Even well researched and practiced impersonators can show cracks in their story when pressed.

• Do not allow anyone you do not know personally, or those that do not have the appropriate authorization, to follow you into the building or a secure area.

• Report suspicious personnel loitering near your work space.

• Report any suspicious phone calls or emails to management and system security.

Fast Fact: Frank William Abagnale Jr. was a

successful impersonator and was able to masquerade as a commercial pilot, doctor, lawyer,

and teacher in various work environments. Talk about social engineering! Abagnale was portrayed by Leonardo

DiCaprio in the 2002 movie Catch Me If You Can.

(Source: Computer Security Handbook, 5th Ed. Vol 1)

continued

Phishing and Spear-Phishing

Phishing is a specific type of attack that uses fraudulent emails to trick people into giving out confidential information. One of the most popular methods used involves sending out bulk email to numerous email addresses, masquerading as an urgent security alert from a popular bank or website such as Bank of America, PayPal, or Facebook. These emails notify the recipient that the website’s security has been compromised, and that it is imperative that the user follow a link to a site to update their security information. The provided link will lead to a convincing webpage that will include a form asking for personal information, passwords, IDs, and sometimes bank account or credit card numbers to verify their identity. Once the information is verified, the user is usually redirected to the real webpage, completing the illusion of legitimacy. The hapless user is now at the mercy of the people executing the attack. This technique could even be used for the user’s workplace login information, which would mean their employer would also be at risk.

Spear-phishing is a more direct version of phishing. This time, the email will appear to come from a friend, family member, or manager. It may even contain personal references, inside jokes, confidential information, or company signatures gleaned from social engineering campaigns that will make it appear legitimate. These emails will specifically target the recipient, and the desired result will likely be to get a very specific set of information from the user.

Phishing IQ Test:

If you would like to test how good you are at detecting phishers, please take this online test.

Go to: http://www.sonicwall.com/furl/phishing/

The test will serve up actual e-mail that claims to come from large companies; your job is to decide which are real and which are phishing expeditions.

The next page includes tips on to help protect yourself from phishing & spear-phishing.Fast Fact:

An estimated 59 million phishing e-mails

are sent each day.

(Source: http://www.scmagazineus.com/ aniti-phishing-bill-working-its-way-through-

us-senate/article/107762/)

The following tips will help protect yourself and NLGroup from becoming the victims of a phishing or spear-phishing attack:

Don’t respond to emails requesting you confirm your user-ID and password or other credentials, account numbers etc.

Don’t respond to unsolicited emails: If you don’t know the sender, don’t respond. If they are offering a product or service, remember the old adage “If it looks too good to be true, it probably is.”

Don’t click on links in emails: Link names do not necessarily reflect where they link to. A link that says www.google.com can take you to any website. A better practice is to type the address manually into your web browser.

Verify transmission of sensitive info with the sender: If you receive an email requesting sensitive information, it never hurts to verify the request by calling the company or individual sending the email. Make sure you use a phone number from a secondary source, not the one provided in the email.

Read emails carefully: Pay attention to the content of an email. If an email is supposed to be an official announcement or request, it should raise some suspicion if it is rife with errors or doesn’t flow in a logical manner. If an email from a coworker isn’t consistent with their normal writing style, take a closer look at it.

Look into installing add-ons for your browser at home: Many browsers offer add-ons that can help protect you while online. This will not be necessary for your corporate issued computer.

Pay attention to alerts from IT, and utilize available resources: If you receive an alert about a scam, don’t ignore it. There are also resources online, such as the FBI website, where you can find more information about online scams and attacks.

Fast Fact: PayPal and eBay are the two most commonly used names

in phishing emails.

(Source:http://news.cnet.com/ 8301-27080_3-20004819-245.html)

continued

Scareware and Ransomware

Scareware and ransomware are classified as a type of malware called trojans. A trojan is a program that appears to have a legitimate and safe function, but ends up having a darker purpose. Scareware masquerades as an antivirus, anti-malware, or firewall program. Once installed, it will usually wait awhile before showing its true colors. All of a sudden, a pop-up alert will appear that says that this program has detected some kind of virus or maybe a whole slew of them (that probably don’t exist), but unfortunately can not remove them unless the user registers the program. This usually involves a monetary transaction. After that, the warnings may or may not disappear and the program may go inactive. At that point it is already too late, as the damage is done: you have not only lost money in the deal, but confidential information as well if you filled out any kind of registration form. A common example of this type of malware is “Antivirus 20XX” (the year changes to remain current). This program masquerades as the Windows Security Center, which it disables. It then follows the previously mentioned model. There was also a similar program called “MacDefender” that circulated earlier this year targeting Apple computers.

Ransomware is similar to scareware, except instead of trying to scare the user into registering a fake product, it uses extortion as a tactic instead. Usually, these are targeted at corporations rather than individual users. Once installed, the program will encrypt some amount of data on the target’s system. In order to get the encryption key and regain utility of the data, the victim will have to pay money to the attacker. This attack can be very effective, because without the use of their data, some corporations can lose a significant amount of money in a few hours. This being the case, many corporations will pay the fee rather than contact the authorities, as the resulting delay will likely mean a larger sum of money being lost.

The next page includes tips on how to avoid malware.

Fast Fact: One international scareware ring

investigated in June, 2011 by the FBI and a multi-national task force infected more than 1

million victims and cost over $74 million!

(Source:http://www.fbi.gov/news/pressrel/ press-releases/department-of-justice-

disrupts-international-cybercrime-rings- distributing-scareware)

Here are a few tips for avoiding this type of malware:

• Review any software before download. If you can find several credible reviews that back up the legitimacy of the software, it will most likely be safe.

• If infected, don’t buy into their scare tactics. Instead, seek assistance in removing the program, as they can sometimes be tricky to remove safely.

• Any suspicious software or processes on your work computer should be reported immediately to your manager and system security.

• Purchase and install a reputable antivirus. The benefits of this action will extend far beyond the threat of scareware.

• Do not install programs at work. Your work computer already has antivirus protection. If you need a specific program, put in a request with the Helpdesk.

Fast Fact: A ransomware program infected

around 2500 users during a 5 week period in December 2010 - January 2011, earning the

perpetrators over $30,000! The program required the user to send a text message to a premium service

in order to unlock their computer.

(Source:http://news.softpedia.com/news/ Russian-SMS-Ransomware-Earned-Fraudsters-

30-000-in-Five-Weeks-178235.shtml)

continued

Malicious Code Distributed via Email

By now, everyone is intimately familiar with junk email sent in bulk, AKA Spam. Most of the time, these unwanted emails are an annoyance, advertising products or services unsolicited by the recipient. Spam can also be used for more nefarious purposes, such as distributing viruses and other malware. Malicious code can be hidden in flash videos, PDF documents, and also in MS Word or Excel documents. Sometimes, it will be embedded content directly in the email, instead of in an attached file. This type is extremely dangerous, as just opening the email could infect your computer. Usually, emails that contain malicious code, either attached or embedded, will have an attention grabbing header such as “LOL... Funniest Joke Ever!”, or “You’ve Gotta See This Video!!!”. They can also have headers that seem more personal or important, such as “Here is the document that you requested...”. The malware that is distributed in this way can take many different forms, none of them good. Many will self replicate by hijacking your email account and sending itself out to all of your contacts, which can be more dangerous as now the “Worlds Funniest Video!!!” is coming from a trusted contact. It should also be noted that this type of distribution can be combined with phishing and spear-phishing attacks for added mayhem.

This type of threat can be mitigated by a few simple things:

• Don’t open unsolicited emails like Spam. This guidance also goes for emails coming from contacts that don’t normally send those types of emails.

• Disable the email viewer in your email program or webmail. This is the window that displays the contents of the email as you scroll through your inbox. Embedded malicious code will run if you accidentally click on the email and it opens in the viewer.

• Don’t open attachments, unless it is something specific that you have been expecting from a contact.

• Script blocking add-ons are available for many browsers that can help prevent embedded code from running when reading an email.

• Keep your software up to date. Malicious code will often exploit flaws in software, such as Adobe Reader or Flash Player, so keeping your software up to date can help keep you protected.

Fast Fact: Heidi Klum was recently ranked #1

by McAfee on its list of dangerous online celebrities, as many spammers and malicious websites have used

her name recognition to dupe users.

(Source:http://www.mcafee.com/us/about/news/2011/q3/20110915-02.aspx)

Online Resources

National Cyber Security Alliance and National Cyber Security Awareness Month http://www.staysafeonline.org

Antivirus and Anti-Malware http://www.symantec.com/norton/internet-security

http://us.mcafee.com/root/store.asp

http://www.microsoft.com/security_essentials/

http://www.avast.com/mac-edition

Phishing and Site Verification http://antiphishing.org

http://www.sonicwall.com/phishing

http://fraud.org/tips/internet/phishing.htm

Fast Fact: The first MS Word macro-virus, “Concept”, was launched in 1995. It spread via an infected Word

document attached to email and was one of the most common virus occurrences on the internet for over a

year!

(Source:http://www.softpanorama.org/Malware/Malware_ defense_history/Malware_gallery/Macro_viruses/concept.shtml)

Don’t be the weak link!

National Life Home Office: One National Life Drive, Montpelier, Vermont 05604 Telephone: 888-279-3990 • www.nationallife.comNational Life Group® is a trade name of National Life Insurance Company and its affiliates. Each company of the National Life Group is solely responsible for its own financial condition and contractual obligations.