training 2000 cyber security - your guide to cyber awareness

3W W W . T R A I N I N G 2 0 0 0 . C O . U K / C Y B E R

• To work in line with company policies and/or procedures

• To do your utmost to protect the organisation from a cyber attack

• To treat the data you are responsible for handling with care

• To properly raise any queries or concerns

• To escalate any issues which may affect the organisation

• To be vigilant and to take proper care when handling, sharing or storing data

• To act as an ambassador of your organisation, respecting its security culture both internally and externally

4

• Using the same password for all your accounts is the greatest risk to your personal security

• Passwords can be cracked very easily, so strong passwords are essential

• A strong password should include: upper and lower case letters, numbers, special characters AND be different for every account!

• Developing your own algorithm to make sure your passwords meet the criteria for a strong password every time

• Using strongpasswordgenerator.com to come up with a new one, and then…

• …storing it in a password vault so you don’t forget it!

W W W . T R A I N I N G 2 0 0 0 . C O . U K / C Y B E R 66

7

• Spamming - sending the same (fake) email to a large number of recipients

• Spear phishing - an email that appears to be from someone you know

• Vishing - a telephone scam aimed to trick the user into giving out information

• SMiShing - a text message which prompts the user to download malware

• Whaling - a type of spear phishing aimed at senior executives

• Pharming - redirects traffic to a victim’s site to another, fake site

• Spoofing - creation of email messgaes with a false email address

• Cancel any downloads that may have started and delete

• Delete anything in your recycle bin

• Close your internet browser (and turn off data)

• Use another device to change your passwords

• Restart your device

• Be wary of your machine’s performance

• Check that all installed programmes are ones YOU chose

• If in doubt, ask!

W W W . T R A I N I N G 2 0 0 0 . C O . U K / C Y B E R

8

• Steal money through fake payment portals

• Trick you into downloading malware

• Read your IP address and online footprint to follow you elsewhere

• Drop cookies into your browser

• Steal your usernames and passwords (what did we learn about passwords?!)

• Ask your IT department or provider to check the site’s safety before using it

• Do NOT input any personal information

• Check other online sources

• Call the phone number to check

• Use Norton’s Safe Web widget: https://safeweb.norton.com

1 0

• Files - Use an encrypted drive, such as TrueCrypt

• Emails - You can set up encryption for emails via your email provider

• Devices - You can buy encryption hard drives and USBs or use software

• Documents - You can select ‘encrypt with password’ on your documents

• Cloud storage - Use a secure cloud storage provider such as Box, or OneDrive

1 1

• Use the process of data classification to decide what should be encrypted and whom you are sending it to

• Basic classifications include - public, informal, confidential, critical - you may choose (or your policy may say) to only encrypt confidential and critical

• Adopt the ‘need to know’ mentality, only send information to people that really need it, rather than informing people of data which is sensitive, but they might not necessarily need


1 2

• Be aware of your physical surroundings – ‘shoulder surfing’

• Log out of sites when not in use

• Lock down your computer when away from your desk – ctrl, alt & delete

• Don’t leave sensitive information, including passwords in view

• Don’t share your passwords with anyone else

• Don’t be afraid to question – common sense prevails

• Be cautious about what you post on social media

• Maintain the same good practice when away from the office

• Use your shared network whenever possible – this is backed up and access rights are in place based on your needs

• If you are working away from the office with no access to your network, save your work in an encrypted drive, until you can move this over to your shared area

• Don’t rely on storing information on portable devices as they can easily be lost. If you have to use them, make sure they are encrypted.

1 3W W W . T R A I N I N G 2 0 0 0 . C O . U K / C Y B E R

1 4

• Direct supervision is not possible• Loss of IT equipment is much more likely• Public environment – lots of people can see what you’re doing• Unsecure networks• Data protection

• Usernames• Passwords• Emails• Messages

• Files• Network drives• Web pages

1 5

• Pay attention to your remote working policy

• Be aware of who is around you - can you see what they are working on?

• Use a VPN (Virtual Private Network) to encrypt your internet traffic

• Leave your device unattended

• Use removable media devices

• Save preloaded website credentials

• Connect to open WIFI


1 6

• Social engineering is ‘the art of human hacking’

• It can be a lucky route in, or a fully targeted and planned attack

• You many not consider it to be ‘cyber security’, however social

engineering uses the perimeter around the digital target

• People• Buildings• Information

• How social engineers build a profile of the target:

• Using information found on social media sites

• Observing and attempting ways into the building

• Planting phishing emails and scam calls to gain further information

• Always keep a clear desk• Pay attention to who is in the

building – use correct visitor procedures

• Be mindful about the information you share on social media

• Be suspicious of unusual calls –

take the number, vet the caller and ring them back if you feel unsure of their identity

• Remember your good practice around emails and phishing

• If in doubt, ask!

1 8

ACCESS CONTROL Controlling who has access to a computer or online service and the information it stores

ASSET Something of value to a person, business or organisation

BACKING UP To make a copy of data stored on a computer or server to lessen the potential impact of failure or loss

BRING YOUR OWN DEVICE (BYOD)

Preparing for and maintaining continued business operations following disruption or crisis

CLOUD COMPUTING Delivery of storage or computing services from remote servers online (ie via the internet)

ENCRYPTION The transformation of data to hide its information content

FIREWALL Hardware or software designed to prevent unauthorised access to a computer or network from another computer or network

GAP ANALYSIS The comparison of actual performance against expected or required performance

HACKER Someone who violates computer security for malicious reasons, kudos or personal gain

HARD DISK The permanent storage medium within a computer used to store programs and data

IDENTIFICATION The process of recognising a particular user of a computer or online service

INTERNET SERVICE PROVIDER (ISP) Company that provides access to the internet and related services

KEYBOARD LOGGER A virus or physical device that logs keystrokes to secretly capture private information such as passwords or credit card details

LOCAL AREA NETWORK (LAN)

Communications network linking multiple computers within a defined location such as an office building

MACRO VIRUS Malware (ie malucious software) that uses the macro capabilities of common applications such as spreadsheets and word processors to infect data

MALWARE Software intended to infiltrate and damage or disable computers. Shortened form of malicious software

1 9

NETWORK FIREWALL Device that controls traffic to and from a network

PASSWORD A secret series of characters used to authenticate a person’s indentity

PERSONAL FIREWALL Software running on a PC that controls network traffic to and from that computer

PERSONAL INFORMATION Personal data relating to an identifiable living individual

PHISHING

Method used by criminals to try to obtain financial or other confidential information (including usernames and passwords) from internet users, usually by sending an email that looks as though it has been sent by a legitimate organisation (oftern a bank). The email usually contains a link to a fake website that looks authentic.

PORTABLE DEVICE A small, easily transportable computing device such as a smartphone, laptop or tablet computer

RISK Something that could cause an organisation not to meet one of its objectives

SECURITY CONTROL Something that modifies or reduces one or more securtiy risks

SERVER Computer that provides data or sevices to other computers over a network

SPYWARE Malware that passes information about a computer user’s activities to an external party

THREAT Something that could cause harm to a system or organisation

VIRTUAL PRIVATE NETWORK (VPN)

Link(s) between computers or local area networks across different locations using a wise area network that cannot access or be accessed by other users of the wide area network

VIRUS Malware that is loaded onto a computer and then run without the user’s knowledge or knowledge of its full effects

VULNERABILITY A flaw or weakness that can be used to attack a system or organisation

WI-FI Wireless local area network based upon IEEE 802.11 standards

WORM Malware that replicates itself so it can spread to infiltrate other computers
