providing information peace of mind ® to business and the ... · •weak password habits •poor...

Pasadena Cyber Security RoundtableInformation Security Awareness

March 2017

© Copyright 2017. Citadel Information Group. All Rights Reserved.

Providing Information Peace of Mind ® to Business and the Not-for-Profit Community

Kimberly Pease, CISSP

25 Years, Information Security,

Information Technology

Co-founder and Vice President

Citadel Information Group, Inc.

Certifications:

CISSP

Six Sigma Black Belt

Information Systems Security

Association

Los Angeles Chapter, ISSA-LA (Since 2002)

Interviews with the MediaGood Morning America

NBC News

Instructor

2© Copyright 2017. Citadel Information Group. All Rights Reserved.

Why a Business Needs Information Security Awareness Training


1. Most are unaware

2. Laws and regulations

3. Compliance and contracts

4. Incident Response – what to do?

5. Threats and vulnerabilities have changed

6. Management is committed and wants to change culture

and provide guidance to staff

7. Address the myths surrounding “It is a technical problem

and IT’s job.”

8. Other?

Excerpts from Citadel’s Information Security Awareness Training


Information Security Matters … And YOU Are the First Line of Defense


The Business Needs Your Commitment

• Understand that the business’ information has value to cyber criminals

• Understand that the business is under attack by cyber criminals

• Understand the consequences to you and the business, if we fail to protect our sensitive information

• Commit to doing your part to protect the business’ information


Cybercrime’s Greatest Impact is on Small & Medium Sized Organizations

•30% of victims have fewer than 250 employees

•60% of small-business victims are out of business within 6 months

•80% of these breaches preventable

8

What Do CyberCriminals Want: $$$$$

• Steal Information• Social Security Numbers• Credit Numbers• Bank Account Numbers• Health Information• Sales / Donor Lists• Login Credentials• Trade Secrets• Intellectual Property

• Deny you the ability to use your own information

• Ransomware

• Use Your Computer• Attack other victims

• Botnet• DDoS

• Storage• stolen software• stolen movies• child porn


10

What are they after?


11

Information = $$$


What Does This Have to Do With You?

• You Have What They Want

• You are a Target

• You are Their Way In

• It Only Takes One!


Understand the threat and impact to you and the business


Not just the lone hacker anymore


Who are these guys?


Think of all the places information is stored

© Copyright 2017. Citadel Information Group. All Rights Reserved.14

Not all information is created equal

17

Confidential

Restricted

Public

Information

classification is

usually determined

by the impact it has

to the business if its

disclosed


Laws and Regulations: Compliance


PCI Compliance

• PCI = Payment Card Industry Data Security Standard

• PCI compliance requires a high level of security


HIPAA Compliance

• HIPAA = Health Insurance Portability and Accountability Act and requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy and security of protected health information.

• HIPAA compliance requires a high level of security

• CE (covered entities) and BA (business associates) are now liable


People, though, continue to create the greatest risks.

People are our weakest link when it comes to information security.

When they practice insecure behaviors, they are our greatest vulnerability.

21

People are our greatest asset


22

Cybercriminals know you aren’t paying attention

• Cybercriminals study behaviors of employees

• They use you to get around security defenses

• They make you an unwitting accomplice to allow them to steal

information

• All they need is just one vulnerable careless person

• One behavior can cost thousands and even millions of dollars to a

company


Poor security habits = business risk

• Weak password habits

• Poor email habits

• Poor workplace security habits

• Poor judgment habits

• Workarounds

• Careless behavior

• Poor judge of risk

• All of these are known to the hackers and cybercriminals


Social Engineering


25

Most Common Types of Social Engineering Attacks

Phishing

Casting a wide net

Smishing

Texting

Vishing

Voice

Spear Phishing

Targeting a specific fish


Components of a Phishing Email

26

Hello,

As part of our security measures, we regularly screen activity in the system.

We recently contacted you after noticing an issue on your account. A system detected unusual

information on your account.

Please follow the link bellow.

www.linktobadwebsite.com

If you don’t follow the link, your account will be blocked.

Regards,

The IT Department

Asserts authority

Raises concern

Provides links or

attachments

Contain threats

or urgency

Typos

Generic greeting

From a familiar

company or

person


http://www.linktobadwebsite.com/

http://www.citibank.

com.us.welcome.c.tr

ack.bridge.metrics.p

ortal.jps.signon.onlin

e.sessionid.ssl.secur

e.gkkvnxs62qufdtl83l

dz.udaql9ime4bn1si

act3f.uwu2e4phxrm3

1jymlgaz.9rjfkbl26xnj

skxltu5o.aq7tr61oy0

cmbi0snacj.4yqvgfy5

geuuxeefcoe7.paroq

uiansdores.org/

Users Unwittingly Open the Door to Cybercrime

29

Ransomware = Data kidnapping

• Type of malware

• Email ransom note containing demands

• Prevents or limits access to a system or device

• Locks systems screen or encrypts files

• Forces users to pay the ransom through certain online

payment methods to get a decrypt key

• Never any guarantee the data will be returned

31

Ransomware infections using names of various authorities

32

Ransomware that locks up workstations and encrypts users'

files


Spear Phishing

* NOTE: This e-mail originated from an IP address in Aubervilliers, France

Social Engineering Do’s and Don’ts

34

Ask yourself: is it unsolicited and unexpected?

Look for grammatical errors or typos

Pay attention to the greeting

Be wary of attachments

Don’t click on links

Get rid of the email or forward to IT

Never provide passwords

Never provide confidential information without positive verification

Listen to your gut


Keep Computer Programs Patched and Updated


How Secure Is Your Password?


Choosing a Strong Password

• Must contain between 8 – 12 characters

• Must contain at least one character from each of the following four categories

• Numbers• 1, 2, 3, 4, …

• Lowercase letters• a, b, c, d, …

• Uppercase letters• A, B, C, D, …

• Special characters• !, @, #, $, …


Passwords: Things to Avoid

• Should not be just words from the dictionary, ANY dictionary, i.e. English, French, Russian, etc.

• Should not be something of personal significance

• Pet/spouse/child’s name

• Phone number

• Birthday / Anniversary

• Anything on Social media sites, Facebook, etc.

• Anything associated with the business

• Avoid simple transformations

• Reversing the spelling

• Avoid just changing the last two characters ,

• MyPasswordIs01, MyPasswordIs02, MyPasswordIs03,


Safe Password Practices

• Change regularly

• Keep your passwords private

• If you must write down your passwords, keep them safe


Tips to Remember Your Password

• Punctuate passwords with numbers and special characters.

• Prada9forthewin!

• 1cat2many!!

• My*space*4*life

• Create a password around a sentence that has meaning for you

• EdIeic4l! = Every day I eat ice cream for lunch!

• Mdi@s2dr? = My daughter is at school today, right?

• Passphrases

• Go2seeTheWizard%

• IronMan!StheM0^132c

• Random Keyboard patterns

• Bgt%678uhb

• mJU&^%432


Other things may be downloaded


Topics we haven’t covered

• Personal email accounts, i.e. Gmail, Yahoo

• Remote access

• Wireless

• Piggybacking

• Physical security

• Sharing of passwords and logins

• Encryption

• The cloud

• BYOD

• Social Network

• Protecting paper

• Phishing• Vishing• Smishing

• Scareware

• Business Email Compromise (BEC)

• Workplace Security

• Workstation

• What to do if something is wrong


Everyone is Responsible for Protecting Sensitive Information


Pasadena Cyber Security RoundtableInformation Security Awareness

March 2017


Providing Information Peace of Mind ® to Business and the Not-for-Profit Community

providing information peace of mind ® to business and the ... · •weak password habits •poor...

Documents