Cybercrime Prevention and Awareness

16  Download (0)

Full text

(1)

Cybercrime Prevention and

Awareness

Basic Security Principles to Help You Better Navigate Through Cyberspace

Presented by: Miguel Fra

miguel@falconitservices.com

www.falconitservices.com

Sources: Neostrategos, onlinecollegecourses.com, forbes.com, go-gulf.com, us-cert.gov, microsoft.com, staysafeonline.org, ncsa

April, 2014

To join conference call dial

(305) 433-6663 option 4

PIN # 42014

(2)

Why We Need Security Training

3 in 4 Americans have been hacked or have been victims of

cyber crime.

90% of businesses have been hacked in the last 12 months.

Of those, 77% have been hacked more than once.

Last year, $ 1 trillion in intellectual property was stolen by

cyber criminals.

600,000 Facebook accounts get hacked every day.

92% of top 100 paid mobile apps have been hacked.

30,000 Web site hacked per day.

Estimated annual cost of cybercrime is 100 Billion US$

1.5 million cybercrime victims per day.

(3)

How Cyber Criminals get Access

Types of Attacks

Viruses

Insider

Device Theft

SQL Injection

Phishing

Web Based

(4)

Hacked Bank Funds

Recovery

Able to hold on

Able to recover funds

Unrecoverable

(5)

Situational Awareness is Key

Security is an individual as well as a business investment. Learn

as much as you can so that you can help prevent cybercrime.

Individual training and awareness is an additional layer added

to your company’s existing hardware and software security

infrastructure.

(6)
(7)

Good Password Policies

• Use strong passwords with upper case, lower case, number and special characters and a minimum of 6 characters. • Don’t use passwords that contain names, birthdays, pet names, phone numbers, etc.

• Don’t use names or dictionary words followed by numbers, i.e. Stingray2010, Fireman1, Baseball1234

• Don’t share passwords across multiple services i.e. same password for Gmail, Credit Cards, Work, Twitter, etc. • Don’t use sequential passwords for different services i.e. myPassword10, myPassword11, myPassword12, etc.

• Don’t store your passwords under your keyboard, in your drawer, in Outlook, Gmail, Phone, password wallet software, etc.). Best place to store passwords is in your brain, second best is written on a piece of paper and kept in your wallet.

• If you have a bad memory, use meaningful words with a twist like: 1L0v3Ch0c0l@t3 (ILoveChocolate) • Be weary of shoulder surfers that may be looking at you when you enter your password.

(8)

Good Desktop PC

Security Policies

Log off from your desktop when you

leave your desk.

Do not store private information such as

social security numbers, etc. on your

desktop or unsecured network folders.

If you receive an anti virus alert,

immediate report it.

Don’t install any software/apps that

have not been specifically authorized.

Keep your desktop and AV up to date.

Accommodate time for our technicians

when they periodically call you to do

desktop maintenance.

Read computer alerts and understand

them. Don’t just click on them to get rid

of them!

(9)

Beware of Phishing & Social

Engineering

Phishing is the practice of

luring users to visit fake

Web sites in order to steal

passwords, pin numbers

and other sensitive

information.

Social Engineering is the

practice of using personal

charm, charisma, deception

and trickery in order to elicit

sensitive information from

the victim.

Social engineers use social

media (Twitter, Facebook,

Web Sites, etc.) to discover

information about the

victim (reconnaissance). Be

as discreet as possible.

(10)

E-Mail &Phishing

• Do not follow links from e-mail asking you to visit a

Web page.

• Be weary of banks, credit cards, IRS, utilities, and

others asking you to visit their site via unsolicited e-mail link.

• Always make sure that login pages use SSL and that

the login pages starts with https://

• Always make sure that the domain name is darker

than the rest of the URL when visiting sites.

• Look for inconsistencies, bad grammar and/or

misspelled words on e-mails and web sites as signs of potential fake phishing sites.

• Don’t send confidential information by e-mail,

Instant messaging or text message.

• Situational awareness: don’t open e-mails with

attachments if they are out of context ( i.e.

iloveponies.pdf from your boss or businessmeeting.pdf from a relative)

• View all e-mail attachments and links with

suspicions. No matter who they are from.

• Beware of: generic salutations, suspicious email

addresses, alarmist messages, grammatical errors/misspellings, request to verify, update or change account settings.

• We weary of unsolicited requests by e-mail to reset

your PIN, ID or password.

• Don’t open attachments from unsolicited or

unexpected e-mails.

• Avoid opening ZIP files unless you know who it’s

from AND you are specifically expecting it!

• Don’t access your personal e-mail from your work

(11)

Social Engineering

• If you get a call from a bank, credit processor, IRS, phone company etc. and they ask for private information, DO NOT divulge the information. Instead, ask for their name and extension and call them on the number listed on their corporate Web site.

• Unless you can positively identify the identity of the person you called you, never give out information to an inbound caller.

• Reduce the amount of information about yourself in Facebook, LinkedIn and other social media sites. That information is useful in social engineering.

• Do not give passwords or personal information to helpdesk or support technicians. They should have access to your system via their own user names and passwords.

• Careful who you add as a friend or connect to when using social media. • Don’t post business owners or manager information on social engineering

sites. They are high value targets for social engineers. Common Social Engineering Tactics

• Familiarity Exploit – Posing as familiar entities or using those positions for reconnaissance. Do not give information to people from the phone company, mailmen, electric company, etc.

• Creating emergencies or urgency. This makes the victim nervous, anxious and more likely to divulge information.

• Creating hostile situations. People often try hard to avoid fights and hostilities and in trying to do so, may lose situational awareness and divulge information.

(12)

Web Surfing

• 30,000 Web sites get hacked each day, so be weary

even when surfing known Web sites.

• Don’t download and install Apps from unknown

Web sites.

• Don’t download and install unsolicited Apps even

from known Web sites.

• Read alerts. Don’t just click on them to get rid of

them!

• Use situational awareness and be extra careful

when surfing new or unknown Internet sites.

(13)

Drive By Infections

If you see pop up while

surfing, and it’s claiming that

you are infected with a virus,

press ALT+F4 to close the

window or CTRL+AL+DEL to

log off. Do not click on any

part of the pop up, not even

the X to close the window!!!

Read Windows pop-up alerts.

Don’t just click on them to get

rid of them.

Beware of threats of inaction,

over the top virus alerts and

demagoguery. These tend to

be viruses.

(14)

Social Media & On-Line Services

• Social Media and Free Services such as Facebook,

Twitter, Gmail and other want as much personal information about you as possible so that they can sell it to advertisers (big data).

• Hackers want the same information so that they can

use social engineering to gain unauthorized access to your valuables.

• On-Line services opt for convenience over security

because they do not want to push customers away.

• Don’t post anything you would say only to a close

friend such as feelings, money problems, etc. These types of posts expose you to cyberbullying and on-line scammers.

• Keep sensitive data to yourself. Especially

information that can be used by scammers to impersonate you.

• Talk to your family, friends and employees about

what you don’t want posted on line.

• On-Line services rely on common social media

comments as password reset or authentication mechanisms for forgotten passwords (favorite movie, favorite pet, elementary school). That same information people usually post willingly on social media!

• Laws have not caught up with technology, in fact

they are YEARS behind. Laws are needed for people and corporations to behave ethically. Those laws have yet to catch up to new technologies and on-line privacy.

• Although it’s illegal for an employer to ask you

about race, religion or ethnicity during a job interview, it’s not illegal for an employee to filter out those same things using social media tools.

• According to WSJ, lenders are mining Facebook and

other social media sites to determine credit worthiness.

• You can be denied disability claims based or pay

higher life insurance premiums based on what you or your relatives post on-line.

(15)

Smart Phones

52% of large businesses have reported

smartphone incidents in the past year.

93% of workers connect their smartphones

to corporate networks.

Risk comes via apps that have access to

phonebooks, e-mail, microphone, cameras,

etc.

Abuse/Spying/Misuse of corporate data by

ISP’s/ Handset Makers/ Apps.

Ask yourself: Why are so many apps FREE?

Rogues are apps usually undetected since

smartphone security is in its infancy and

smartphones seldom have antimalware.

Don’t keep sensitive data on your

smartphone.

Turn off smartphones during private

meetings or when talking about extremely

private information.

Apps such as CrowdPilot, Facebook, Flexispy,

etc. can listen in to your conversations, read

your call log, etc.

Many insider exploiters usually go unnoticed

if it were not for human error (see case of

Google engineer David Barksdale)

(16)

Resources

• http://www.microsoft.com/security/resources • http://www.staysafeonline.org/ncsam/ • http://www.huffingtonpost.com/nathan-newman/why-googles-spying-on-use_b_3530296.html • http://gawker.com/5638874/david-barksdale-wasnt-googles-first-spying-engineer • http://articles.latimes.com/2011/jan/25/business/la-fi-facebook-evidence-20110125 • http://www.relevanza.com/denied-loan-facebook-posts/ • http://www.motherjones.com/politics/2013/09/lenders-vet-borrowers-social-media-facebook

Thank you for attending this presentation. If you would like to continue, stay on

the call for questions and answers!

Figure

Updating...

References

Related subjects :