Information Security - Awareness

Awareness Program

Presented by: Muhammad Moiz Uddin

A compromised computer is a hazard to everyone else too,

not just to you.

2013, Internet Security breaches at a Glance …

There were 2,164 incidents reported through December 31, 2013 exposing 822 million records.

A single hacking incident involving Adobe Systems exposed 152 million names, customer IDs, encrypted passwords, debit or credit card numbers and other information relating to customer orders.

The Business sector accounted for 53.4% of reported incidents, followed by Government (19.3%), Medical (11.5%), Education (8.2%), and Unknown (7.6%).

The Business sector accounted for 73.9% of the number of records exposed, followed by Unknown at 24.5%.

59.8% of reported incidents were the result of Hacking which accounted for 72.0% of exposed records.

4.8% of the reported incidents were the result of Web related attacks which accounted 16.9% of exposed records.

2013, Internet Security breaches at a Glance …

Breaches involving U.S. entities accounted for 48.7% of the incidents and 66.5% of the exposed records.

Four 2013 incidents have secured a place on the Top 10 All Time Breach List.

The number of reported exposed records tops 2.5 billion and the number of reported incidents tracked by Risk Based Security exceeded 11,200.

Sponsored by: • Risk Based Security, February 2014 • Open Security Foundation, February 2014 • 2013, Data Breach Quick View

Topics Covered • Introduction to Information Security • Information Security Policy • Roles and Responsibility • What are the Consequences of Security Violations • CIA of Information Security • Threats , Vulnerabilities and Risk • Beware of Scams • Good Security Practices • Access Controls • Internet Security • Social Engineering • Phishing Attacks • Cookies • Report a Security Incident

Introduction to Information Security

What is Information Security? • Information Security (IS) – The protection of information and

information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

• Information security is achieved through implementing technical, management, and operational measures designed to protect the confidentiality, integrity and availability of information.

• The goal of an IS program is to understand, manage, and reduce the risk to information under the control of the organization.

CIA of Information Security

There are three elements to protecting information Confidentiality – Protecting information from

unauthorized disclosure to people or processes Integrity – Assuring the reliability and accuracy of

information and IT resources Availability – Defending information systems and

resources from malicious, unauthorized users to ensure accessibility by authorized users

CIA of Information Security • Your bank ATM is a good example of an

information system that must be confidential, integrity and have available. Imagine if your account was not kept confidential and

someone else was able to access it when they approached the ATM. How much damage could be done? Imagine if every time you went to the ATM, the

balance it displayed was inaccurate. How could the poor integrity of your balance information adversely affect your account management? Imagine if your bank’s ATM was rarely available when

you needed it. Would you continue to use that bank?

Roles and Responsibilities

Privacy policies and procedures require you to:

Gather, use, and disclose information only for reasons that are for a legitimate job function, support the mission of OLP, and are allowed by law. Access information only for authorized purposes. Safeguard information in your possession, whether it

be in paper or electronic format. Report suspected privacy violations or incidents. Proper deletion of documents containing significant

information; NEVER place them in the trash.

What are the consequences for security violations?

• Risk to security and integrity of personal or confidential information e.g. identity theft, data corruption or destruction, unavailability of critical information in

an emergency, etc.

• Loss of valuable business information

• Loss of employee and public trust, embarrassment, bad publicity, media coverage, news reports

• Costly reporting requirements in the case of a compromise of certain types of personal and financial information

• Internal disciplinary action(s) up to and including termination of employment, as well as possible penalties, prosecution and the potential for sanctions / lawsuits

Threats , Vulnerabilities and Risk

Threats – the potential to cause unauthorized disclosure, changes, or destruction to an asset. – Impact: potential breach in confidentiality, integrity failure

and unavailability of information – Types: natural, environmental, and man-made

Vulnerabilities – any flaw or weakness that can be exploited and

could result in a breach or a violation of a system’s security policy.

Risk – the likelihood that a threat will exploit a vulnerability. For example, a system may not have a backup power source; hence, it is vulnerable to a threat, such as a thunderstorm, which creates a risk.

Threats

• Malicious Codes Virus

A malicious program that secretly integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.

Worms A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.

Threats

Trojan Horse This is a deceptive program that performs additional actions without the user's knowledge or permission. It does not replicate.

Logic Bomb The logic bomb is a generic term for any type of malicious code that is waiting for a trigger event to release the payload.

Threats

• Denial-of-Service Attacks • Social Engineering • Spywares • Trackwares • Rootkits

Beware of Scams

• Scams are increasingly sophisticated and use a variety of tactics, excuses and lies to convince you that it is a genuine request.

• Almost everyone will be approached by a scammer at some stage. Common types of scams include a surprise lottery win in the mail, email from your bank, the ‘free’ holidays and ‘guaranteed income’ scams.

Types of Scams (but not limited)

• Banking and online account • Chain letters and pyramid • Health and medical • Identity theft • Investment • Job and employment • Lottery and competition • Money transfer • Mobile phone • Online • Personalized • Business

Who are these guys ?

Malicious Hackers

White Hat Black Hat Grey Hat Elite Hacker Script Kiddie

1. Reconnaissance 2. Scanning

3. Gaining Access

4. Maintaining Access

5. Covering Tracks

Attacking Methodology

What Does This Mean for Me?

• This means that everyone who uses a computer or mobile device needs to understand how to keep their computer, device and data secure. Information Technology Security is everyone’s responsibility

• You are responsible for familiarizing yourselves and complying with related information security policies, procedures and standards.

Good security practices Follow security SOPs / adhere controls Never share passwords or passphrases Keep antivirus updated Do not click random links Beware of email and attachments from unknown people Do not download unfamiliar software off the Internet Do not propagate virus hoaxes or chain mail Log out of or lock your computer / Shut down computers Remove unnecessary programs or services Restrict remote access

Good security practices Frequently back up important documents and files Treat sensitive data very carefully Remove data securely Deploy encryption whenever it is possible available Create a different password for each system or application Do not reuse passwords until six other passwords have been

used

Access Controls

A strong password for your network account and other applications is a basic protection mechanism. While it is tempting to create an easy or

generic password that is easy to remember, it is not very secure.

Access Controls

Two rules for stronger passwords: Create a password at least eight character in

length.

Password should contain at least one each » Capital letter

» Lowercase letter

» Number

» Special character (%,^,*,?)

Access Controls

Having trouble remembering passwords? Use a passphrase. – Use the initials of a song or phrase to create a

unique password – Example: “Take me out to the ballgame!” – becomes “Tmo2tBG!”

Commit passwords to memory. If you are still having trouble, then write it down and keep it in a secure place, like your wallet. DO NOT keep passwords near your computer or

on your desk

Internet Security

Cyber crime refers to any crime that involves a computer and a network. Offenses are primarily committed through the Internet Common examples of cyber crime include:

– Credit card fraud; – Spam; and – Identity theft.

Social engineering These individuals may look trust worthy, but in fact are sophisticated cyber criminals.

They use social engineering techniques to obtain your personal information, access sensitive government information, and even steal your identity.

Social engineering

Social engineering is classically defined as the art of manipulating and exploiting human behavior to gain unauthorized access to systems and information for fraudulent or criminal purposes. Social engineering attacks are more common

and more successful than computer hacking attacks against the network

Social engineering

Social engineering attacks are based on natural human desires like: – Trust – Desire to help – Desire to avoid conflict – Fear – Curiosity – Ignorance and carelessness

Social engineering

Social engineers will gain information by exploiting the desire of humans to trust and help each other.

Phishing Attacks

Spear phishing is an attack that targets a specific individual or business. The email is addressed to you and appears to be sent from an organization you know and trust, like a government agency or a professional association. Whaling is a phishing or spear phishing attack

aimed at a senior official in the organization

A cookie is a text file that a website puts on your hard drive that saves information that you typed in like preferences or user name. Cookies can also be used to track your

activities on the web. Cookies pose a security risk because someone

could access your personal information or invade your privacy.

Cookies

Combat cookies

Use cookies with caution. Confirm that web sites that ask for personal

information are encrypted and the URL begins with “https”. Note that there is an inherent risk anytime

you enter personal information on a web site.

Cookies

Quiz: A hacked computer can be used to… (select all that apply)

1. Record keystrokes and steal passwords.

2. Send spam and phishing emails.

3. Harvest and sell email addresses and passwords.

4. Access restricted or personal information on your computer

5. or other systems that you have access to.

6. Illegally distribute music, movies and software.

7. Distribute child pornography.

8. Infect other systems.

9. Generate large volumes of traffic, slowing down the entire system.

ALL

Report a Security Incident A computer security incident is any attempted or successful unauthorized access, disclosure, or misuse of computing systems, data or networks (including hacking and theft).

You should: – Preserve the evidence – Remediation (if possible, run antivirus)

– Isolate the system – Report to:

To internet service providers OR

Antivirus company OR

Company’s IT security department

Other Essential Security Measures

Keep in mind

• Make sure your computer is protected with anti-virus and all necessary security "patches" and updates, and that you know what you need to do, if anything, to keep them current.

• Do not keep sensitive information or your only copy of critical data on portable devices (laptops, CDs/DVDs, data sticks, PDAs, phones, etc.) unless they are properly protected.

Keep in mind • Do not install unknown or unsolicited programs on

computers. – Such as programs you find out about through email. – These can harbor behind-the-scenes computer viruses or

open a "back door" giving others access to your computer without your knowledge.

• Make backup copies of data you are not willing to lose and store the copies very securely.

• Shut down, lock, log off of, or put your computer to sleep before leaving it unattended, and make sure it requires a password to start up or wake-up.

Keep in mind • Be careful when using wireless.

– Information sent via standard wireless is especially easy to intercept

– Do not connect to unknown wireless hot spots/access points if you're concerned about security or privacy (or your passwords)

– Set devices to "ask" before joining networks so you do not unknowingly connect to insecure wireless networks

• Be sure that automatic login and guest accounts are disabled on your computer.

• Always shut your computer down properly when you shut down; do not just turn off the power button or the monitor.

Keep in mind

• Secure laptop computers at all times: keep it with you or lock it up before you step away. – At all times: in your office, at meetings,

conferences, coffee shops, etc. – Make sure it is locked to or in something

permanent!

Security Self-Test: Questions & Scenarios

Scenarios 1

1. You receive an e-mail with an attachment from "I.T. Security." The e-mail says that your computer has been infected with a virus and you need to open the attachment and follow the directions to get rid of the virus. What should you do? (Select all that apply) A. Follow the instructions ASAP to avoid the virus. B. Open the e-mail attachment to see what it says. C. Reply to the sender and say "take me off this list". D. Delete the message from the unknown source. E. Contact the IT Help Desk and ask about the email.

Scenarios 2 2. Which workstation security safeguards are

YOU responsible for following and/or protecting? (Select all that apply)

1. User I.D. 2. Password 3. Log-off programs 4. Lock-up office or work area (doors, windows) 5. All of the above

Scenarios 3

3. Someone used their gmail account at a cyber cafe. He made sure his gmail account was no longer open in the browser window before leaving the cafe. Someone came in behind and used the same browser to re-access his account. They started sending emails from it and caused all sorts of mayhem.

Question: What do you think might be going on here?

Scenarios 4

4. You receive an email from your bank telling you there is a problem with your account. The email provides instructions and a link so you can log in to your account and fix the problem. What should you do?

Scenarios 5

5. A while back, the IT folks got a number of complaints that one of our computers was sending out Spam. They checked it out, and the reports were true: a hacker had installed a program on the computer that made it automatically send out tons of spam email without the computer owner's knowledge.

Q: How do you think the hacker got into the computer to set this up?