Why Awareness Training?
•
NCLM sanc:oned mul:ple Security Risk Assessments for
a broad spectrum of member municipali:es
•
The assessments iden:fied areas of weakness common
throughout the sampled municipali:es regardless of size
•
One of the most common iden:fied weaknesses is a lack
of general end-‐user security awareness training
What will this training cover?
•
This training will highlight general end-‐user best prac:ces that
apply to the most common informa:on security weaknesses
iden:fied during member municipality security risk
assessments, including:
– Ensuring your worksta:on is up-‐to-‐date and secure
– Crea:ng and using secure passwords
– Using your mobile devices in a secure manner
– How to surf the net and use email securely
What will this training cover?
(cont’d)•
This training will also teach you:
–
What should be considered sensi:ve and protected
informa:on
–
Poten:al consequences of an informa:on security breach
–
How to arm yourself with informa:on security intelligence
–
And what to do if you encounter something suspicious
What’s in it for me?
•
The goal is to educate employees to:
–
Proac:vely secure their compu:ng resources at home and
at work.
–
Recognize what types of security issues and incidents may
occur.
What is sensi/ve data?
6
And why should we protect it?
Sensi:ve data may include:
" Credit card numbers
" Social Security numbers
" Driver’s license numbers
" Protected health data
" Law enforcement data
It’s valuable to our residents, our
employees, and our opera:on – protect it!
" Business processes " Financial data " Copyrights " Trademarks " HR data
Threat Sources
•
Threat sources may include both insiders
and outsiders, such as the following:
–
Governments
–
Disgruntled employees
–
Hackers
Informa/on Security Sta/s/cs
•
A few things to be aware of:
– External par:es (“outsiders”) are responsible for far more data breaches than insiders and partners (98% of breaches in 2012).
– Malware factored in over 2/3 of the breaches inves:gated.
– Iden:ty theg is the fastest growing crime in the US:
• More than 750,000 vic:ms a year (or 1 in 20 Americans) with losses
exceeding $2 Billion.
– Over 1,000 viruses are created each month.
8 Source: Verizon Data Breach Report 2012 –
What does this have to do with me?
People are the weakest link. You can have the best technology, firewalls, intrusion-‐detec/on systems, biometric devices—and somebody can call an
unsuspec/ng employee. That’s all she wrote, baby. They got everything.
— Kevin Mitnick Kevin Mitnick is a computer security consultant, author, and hacker. In the mid 90's, he was the world's most-‐wanted computer hacker.
What can happen?
•
Bad things that can happen:
– Disrup:on of business/personal :me
– Loss of $$$ (business/personal)
– Iden:ty theg
– Heavy fines from regulatory agencies
– Criminal inves:ga:ons
– Lawsuits
– Reputa:onal damage to the municipality and its elected officials
General Best Prac/ces
• Make sure your worksta:on is secure:
– Install ac:ve an:-‐virus and keep it current.
– Apply Microsog and third-‐party sogware security updates.
– Do not install unauthorized/free sogware on Municipal systems without
IT approval.
– Do not install free sogware at home unless it has been validated by a
trusted source .
– Do not disable security sogware, such as an:-‐virus, personal firewall and
intrusion detec:on sogware.
Password Best Prac/ce
• Use a complex password.
– At least eight characters
– Use capital and lower-‐case lemers, numbers
and symbols
– Do not use commonly used passwords like
“password,” “12345678” or “LetMeIn”.
– Use phrases, and subs:tute symbols and
numbers for lemers. For example, instead of “MyDogSpot” use “MyD0g$p0t”.
• Change your password at least every 60-‐90 days.
Secure your worksta/on
• Lock your computer when you leave your work area.
• Set your screensaver to automa:cally start ager a
few minutes of inac:vity.
– Require password entry to deac:vate screensaver.
• Do not store wrimen passwords.
– Passwords stored on your desk or monitor, underneath
keyboards or in desk drawers are not secure! • Do not email passwords.
– Informa:on contained in emails isn’t encrypted and can
Stay informed
• Arm yourself with informa:on:
– If your an:-‐virus vendor offers an alert no:fica:on service, subscribe to
it. Check other vendors to see if they have an alert list as well. Some an:-‐virus developers will release warnings ahead of others; therefore, it may be good prac:ce to subscribe to a number of lists.
– Symantec’s Guide to Scary Internet Stuff series provides useful
informa:on in a humorous manner (YouTube). Topics include:
• Phishing, Botnets, Underground Economy, Drive-‐by Downloads, Misleading
Applica:ons, Net Threats, Losing Your Data, etc.
– Microsog offers a security bulle:n mailing list as well. Subscribing to
this list will allow you to stay on top of security-‐related patches and could prevent problems such as falling vic:m to known amacks:
• hmp://technet.microsog.com/en-‐us/security/
14 Sources: h8p://www.symantec.com/connect/arCcles/introducCon-‐viruses-‐and-‐malicious-‐code-‐part-‐two-‐protecCon and
Mobile Device Security
• Never leave mobile devices unamended in a public area such as a restaurant or coffee shop.
• Never leave mobile devices in plain view through the windows of a car.
• Use device locks such as a PIN/passcode on phones or tablets.
• Use an:-‐virus.
More Mobile Device Security
•
Be mindful of QR codes.
– Scanning a QR code is just like clicking on a link!
– Just like a link, a QR code can be used for malicious purposes.
– Use an app like Norton Snap to make sure they’re legi:mate.
– When in a store or restaurant, make sure the QR code you’re about to scan is not a s:cker and is actually printed on the item or marke:ng material.
More Mobile Device Security
•
Be mindful of what you install.
– Make sure apps are from reputable sources.
– Check permissions. Are they appropriate for the app you’re downloading?
– If in doubt, ask IT for guidance.
•
Don’t store sensi:ve data on your mobile devices.
– This includes laptops, phones, tablets and removable storage devices like USB drives.
Internet Security Best Prac/ces
• While on the Internet:
– Configure your computer to ask before installing sogware, and do not
browse the web while logged on as administrator.
– Social networking websites do not verify any content they display, so
make sure you trust the poster before viewing videos or media files (many contain embedded malicious code).
– Avoid using “Remember this password” for websites.
– Free music and file sharing programs are wide-‐open doors for hackers—
BitTorrent, Kazaa, P2P (peer-‐to-‐peer).
– Before you ever enter sensi:ve informa:on, look for the browser lock and
hmps://
Internet Security Best Prac/ces
• Beware of malware and spyware:
– Sogware could be installed that tracks and records keystrokes, mouse
movements and clicks, websites visited and virtually any other ac:vity on a computer—including your bank account login ID and password.
– Ever get pop-‐ups that constantly ask for you to click OK and won’t go
away? This is ogen due to malicious code.
– “Helpful” toolbars? Once the toolbar program is installed, it could
collect anything it wants, and it’s almost impossible to remove—it can ogen automa:cally reinstall.
– If you suspect malware or spyware, contact IT for assistance.
• And be careful how you make purchases:
– When making online purchases, always use a credit card, which
Email Security Best Prac/ces
• Keep personal email personal. Use work email only for work purposes—
don’t mix them up.
• Don’t register on personal websites with your work email.
• If you didn’t expect an email, don’t open it—check with the sender first.
• No valid source will ever ask for your password – contact IT immediately if
you receive an email reques:ng your login creden:als.
• Never open amachments from unexpected sources.
• Always check links before you click them!
How do I check a link in an email?
•
Hover over a link before you click it:
•
Some:mes a link masks the website to which it links. If
you hover over a link without clicking it, you’ll no:ce the
full URL of the link’s des:na:on in your browser. For
example, both of these links connect you to NCLM’s
home page but you wouldn’t know it without hovering:
•
Click Here!
•
hmp://www.freerolexwatches.com/
What is Phishing?
• “Phishing” is a term used for fraudulent Internet “scams” that
set out to deceive users into providing personal informa:on that ogen is used for iden:ty theg. It stands for “password fishing.”
• Phishing emails appear to be from a well-‐known and trusted
company that are sent to a large number of addresses. It may direct the recipient to a fraudulent website that looks exactly like the real website, where he/she is asked for personal informa:on.
• Designed to get data from users without their knowledge.
– This data is usually sensi:ve in nature, like credit card informa:on,
usernames or passwords.
• Phishing emails commonly pretend to be from organiza:ons
such as PayPal, an airline, or a bank.
22 Source: h8p://www.symantec.com/norton/transactsafely/phishingfaq.jsp
What does a phishing email look like?
Here’s an actual phishing email sent to customers of
Barclay’s bank with a link to a fraudulent website. No:ce the errors – this is a
common trait of phishing emails: 23
How do I keep from gePng phished?
• The most powerful weapons against phishing are
common sense and the following rules:
– If you are not a customer of the site, delete the email
immediately. Don´t click on the link or reply.
– If you are a customer and you are not sure if the email
is legit, do one of the following:
• Contact the ins:tute by phone or contact via the official
website (do not use the email link of course) and ask if the email is official.
• Instead of using the link provided, visit the website by typing
in the official URL. The site should have news about the email on their Home page. If not, use 2A to verify the email.
24 Source: h8p://www.symantec.com/norton/transactsafely/phishingfaq.jsp
If you see something suspicious at work:
•
Report any unusual system ac:vity to the IT Help Desk.
•
Do not inves:gate the incident yourself—the IT Team
will lead the inves:ga:on.
•
Never amempt to “prove” a security weakness.
•
You will never be cri:cized or get “in trouble” for
repor:ng something that you feel is suspicious. When in
doubt – report it!
Informa/on Security is Everyone’s Responsibility
Security is NOT merely about checking boxes!
The intent of awareness training is to prevent fraud, protect
customers and residents, and secure our data.
Requirements must be met, but the goal is to provide robust
informa:on security within our network.
Ques:ons?
End-‐User Informa/on Security Awareness Training
Secure Enterprise Compu:ng has been performing network and applica:on security assessments for over 13 years.
We are happy to help you with any and all compliance efforts.
Website: hmp://www.secure-‐enterprise.com/
Phone: 919-‐380-‐7979