Cybercrime Prevention and
Awareness
Basic Security Principles to Help You Better Navigate Through Cyberspace
Presented by: Miguel Fra
miguel@falconitservices.com
www.falconitservices.com
Sources: Neostrategos, onlinecollegecourses.com, forbes.com, go-gulf.com, us-cert.gov, microsoft.com, staysafeonline.org, ncsa
April, 2014
To join conference call dial
(305) 433-6663 option 4
PIN # 42014
Why We Need Security Training
•
3 in 4 Americans have been hacked or have been victims of
cyber crime.
•
90% of businesses have been hacked in the last 12 months.
Of those, 77% have been hacked more than once.
•
Last year, $ 1 trillion in intellectual property was stolen by
cyber criminals.
•
600,000 Facebook accounts get hacked every day.
•
92% of top 100 paid mobile apps have been hacked.
•
30,000 Web site hacked per day.
•
Estimated annual cost of cybercrime is 100 Billion US$
•
1.5 million cybercrime victims per day.
How Cyber Criminals get Access
Types of Attacks
Viruses
Insider
Device Theft
SQL Injection
Phishing
Web Based
Hacked Bank Funds
Recovery
Able to hold on
Able to recover funds
Unrecoverable
Situational Awareness is Key
Security is an individual as well as a business investment. Learn
as much as you can so that you can help prevent cybercrime.
Individual training and awareness is an additional layer added
to your company’s existing hardware and software security
infrastructure.
Good Password Policies
• Use strong passwords with upper case, lower case, number and special characters and a minimum of 6 characters. • Don’t use passwords that contain names, birthdays, pet names, phone numbers, etc.
• Don’t use names or dictionary words followed by numbers, i.e. Stingray2010, Fireman1, Baseball1234
• Don’t share passwords across multiple services i.e. same password for Gmail, Credit Cards, Work, Twitter, etc. • Don’t use sequential passwords for different services i.e. myPassword10, myPassword11, myPassword12, etc.
• Don’t store your passwords under your keyboard, in your drawer, in Outlook, Gmail, Phone, password wallet software, etc.). Best place to store passwords is in your brain, second best is written on a piece of paper and kept in your wallet.
• If you have a bad memory, use meaningful words with a twist like: 1L0v3Ch0c0l@t3 (ILoveChocolate) • Be weary of shoulder surfers that may be looking at you when you enter your password.
Good Desktop PC
Security Policies
•
Log off from your desktop when you
leave your desk.
•
Do not store private information such as
social security numbers, etc. on your
desktop or unsecured network folders.
•
If you receive an anti virus alert,
immediate report it.
•
Don’t install any software/apps that
have not been specifically authorized.
•
Keep your desktop and AV up to date.
Accommodate time for our technicians
when they periodically call you to do
desktop maintenance.
•
Read computer alerts and understand
them. Don’t just click on them to get rid
of them!
Beware of Phishing & Social
Engineering
•
Phishing is the practice of
luring users to visit fake
Web sites in order to steal
passwords, pin numbers
and other sensitive
information.
•
Social Engineering is the
practice of using personal
charm, charisma, deception
and trickery in order to elicit
sensitive information from
the victim.
•
Social engineers use social
media (Twitter, Facebook,
Web Sites, etc.) to discover
information about the
victim (reconnaissance). Be
as discreet as possible.
E-Mail &Phishing
• Do not follow links from e-mail asking you to visit a
Web page.
• Be weary of banks, credit cards, IRS, utilities, and
others asking you to visit their site via unsolicited e-mail link.
• Always make sure that login pages use SSL and that
the login pages starts with https://
• Always make sure that the domain name is darker
than the rest of the URL when visiting sites.
• Look for inconsistencies, bad grammar and/or
misspelled words on e-mails and web sites as signs of potential fake phishing sites.
• Don’t send confidential information by e-mail,
Instant messaging or text message.
• Situational awareness: don’t open e-mails with
attachments if they are out of context ( i.e.
iloveponies.pdf from your boss or businessmeeting.pdf from a relative)
• View all e-mail attachments and links with
suspicions. No matter who they are from.
• Beware of: generic salutations, suspicious email
addresses, alarmist messages, grammatical errors/misspellings, request to verify, update or change account settings.
• We weary of unsolicited requests by e-mail to reset
your PIN, ID or password.
• Don’t open attachments from unsolicited or
unexpected e-mails.
• Avoid opening ZIP files unless you know who it’s
from AND you are specifically expecting it!
• Don’t access your personal e-mail from your work
Social Engineering
• If you get a call from a bank, credit processor, IRS, phone company etc. and they ask for private information, DO NOT divulge the information. Instead, ask for their name and extension and call them on the number listed on their corporate Web site.
• Unless you can positively identify the identity of the person you called you, never give out information to an inbound caller.
• Reduce the amount of information about yourself in Facebook, LinkedIn and other social media sites. That information is useful in social engineering.
• Do not give passwords or personal information to helpdesk or support technicians. They should have access to your system via their own user names and passwords.
• Careful who you add as a friend or connect to when using social media. • Don’t post business owners or manager information on social engineering
sites. They are high value targets for social engineers. Common Social Engineering Tactics
• Familiarity Exploit – Posing as familiar entities or using those positions for reconnaissance. Do not give information to people from the phone company, mailmen, electric company, etc.
• Creating emergencies or urgency. This makes the victim nervous, anxious and more likely to divulge information.
• Creating hostile situations. People often try hard to avoid fights and hostilities and in trying to do so, may lose situational awareness and divulge information.
Web Surfing
• 30,000 Web sites get hacked each day, so be weary
even when surfing known Web sites.
• Don’t download and install Apps from unknown
Web sites.
• Don’t download and install unsolicited Apps even
from known Web sites.
• Read alerts. Don’t just click on them to get rid of
them!
• Use situational awareness and be extra careful
when surfing new or unknown Internet sites.
Drive By Infections
•
If you see pop up while
surfing, and it’s claiming that
you are infected with a virus,
press ALT+F4 to close the
window or CTRL+AL+DEL to
log off. Do not click on any
part of the pop up, not even
the X to close the window!!!
•
Read Windows pop-up alerts.
Don’t just click on them to get
rid of them.
•
Beware of threats of inaction,
over the top virus alerts and
demagoguery. These tend to
be viruses.
Social Media & On-Line Services
• Social Media and Free Services such as Facebook,
Twitter, Gmail and other want as much personal information about you as possible so that they can sell it to advertisers (big data).
• Hackers want the same information so that they can
use social engineering to gain unauthorized access to your valuables.
• On-Line services opt for convenience over security
because they do not want to push customers away.
• Don’t post anything you would say only to a close
friend such as feelings, money problems, etc. These types of posts expose you to cyberbullying and on-line scammers.
• Keep sensitive data to yourself. Especially
information that can be used by scammers to impersonate you.
• Talk to your family, friends and employees about
what you don’t want posted on line.
• On-Line services rely on common social media
comments as password reset or authentication mechanisms for forgotten passwords (favorite movie, favorite pet, elementary school). That same information people usually post willingly on social media!
• Laws have not caught up with technology, in fact
they are YEARS behind. Laws are needed for people and corporations to behave ethically. Those laws have yet to catch up to new technologies and on-line privacy.
• Although it’s illegal for an employer to ask you
about race, religion or ethnicity during a job interview, it’s not illegal for an employee to filter out those same things using social media tools.
• According to WSJ, lenders are mining Facebook and
other social media sites to determine credit worthiness.
• You can be denied disability claims based or pay
higher life insurance premiums based on what you or your relatives post on-line.