Member Municipality Security Awareness Training. End- User Informa/on Security Awareness Training

28  Download (0)

Full text


Why  Awareness  Training?  

NCLM  sanc:oned  mul:ple  Security  Risk  Assessments  for  

a  broad  spectrum  of  member  municipali:es  

The  assessments  iden:fied  areas  of  weakness  common  

throughout  the  sampled  municipali:es  regardless  of  size  

One  of  the  most  common  iden:fied  weaknesses  is  a  lack  

of  general  end-­‐user  security  awareness  training  


What  will  this  training  cover?  

This  training  will  highlight  general  end-­‐user  best  prac:ces  that  

apply  to  the  most  common  informa:on  security  weaknesses  

iden:fied  during  member  municipality  security  risk  

assessments,  including:  

–  Ensuring  your  worksta:on  is  up-­‐to-­‐date  and  secure  

–  Crea:ng  and  using  secure  passwords  

–  Using  your  mobile  devices  in  a  secure  manner  

–  How  to  surf  the  net  and  use  email  securely  


What  will  this  training  cover?    


This  training  will  also  teach  you:  

What  should  be  considered  sensi:ve  and  protected  


Poten:al  consequences  of  an  informa:on  security  breach  

How  to  arm  yourself  with  informa:on  security  intelligence  

And  what  to  do  if  you  encounter  something  suspicious  


What’s  in  it  for  me?  

The  goal  is  to  educate  employees  to:  

Proac:vely  secure  their  compu:ng  resources  at  home  and  

at  work.  

Recognize  what  types  of  security  issues  and  incidents  may  



What  is  sensi/ve  data?    


And  why  should  we  protect  it?  

Sensi:ve  data  may  include:  

"   Credit  card  numbers  

"   Social  Security  numbers  

"   Driver’s  license  numbers  

"   Protected  health  data  

"   Law  enforcement  data  

It’s  valuable  to  our  residents,  our  

employees,  and  our  opera:on  –  protect  it!  

  "   Business  processes     "   Financial  data     "   Copyrights     "   Trademarks   "   HR  data  


Threat  Sources  

Threat  sources  may  include  both  insiders  

and  outsiders,  such  as  the  following:  


Disgruntled  employees  



Informa/on  Security  Sta/s/cs  

A  few  things  to  be  aware  of:  

–  External  par:es  (“outsiders”)  are  responsible  for  far  more  data   breaches  than  insiders  and  partners  (98%  of  breaches  in  2012).  

–  Malware  factored  in  over  2/3  of  the  breaches  inves:gated.  

–  Iden:ty  theg  is  the  fastest  growing  crime  in  the  US:  

•  More  than  750,000  vic:ms  a  year  (or  1  in  20  Americans)  with  losses  

exceeding  $2  Billion.  

–  Over  1,000  viruses  are  created  each  month.  

8   Source:  Verizon  Data  Breach  Report  2012  –  


What  does  this  have  to  do  with  me?  

People  are  the  weakest  link.  You  can  have  the  best   technology,  firewalls,  intrusion-­‐detec/on  systems,   biometric  devices—and  somebody  can  call  an  

unsuspec/ng  employee.  That’s  all  she  wrote,  baby.   They  got  everything.  


       —  Kevin  Mitnick     Kevin  Mitnick  is  a  computer  security  consultant,  author,  and  hacker.  In  the  mid   90's,  he  was  the  world's  most-­‐wanted  computer  hacker.  




What  can  happen?  

Bad  things  that  can  happen:  

–  Disrup:on  of  business/personal  :me  

–  Loss  of  $$$  (business/personal)  

–  Iden:ty  theg  

–  Heavy  fines  from  regulatory  agencies  

–  Criminal  inves:ga:ons  

–  Lawsuits  

–  Reputa:onal  damage  to  the  municipality  and  its  elected  officials  


General  Best  Prac/ces  

•  Make  sure  your  worksta:on  is  secure:  

–  Install  ac:ve  an:-­‐virus  and  keep  it  current.  

–  Apply  Microsog  and  third-­‐party  sogware  security  updates.  

–  Do  not  install  unauthorized/free  sogware  on  Municipal  systems  without  

IT  approval.  

–  Do  not  install  free  sogware  at  home  unless  it  has  been  validated  by  a  

trusted  source  .  

–  Do  not  disable  security  sogware,  such  as  an:-­‐virus,  personal  firewall  and  

intrusion  detec:on  sogware.  


Password  Best  Prac/ce  

•  Use  a  complex  password.  

–  At  least  eight  characters  

–  Use  capital  and  lower-­‐case  lemers,  numbers  

and  symbols  

–  Do  not  use  commonly  used  passwords  like  

“password,”  “12345678”  or  “LetMeIn”.  

–  Use  phrases,  and  subs:tute  symbols  and  

numbers  for  lemers.    For  example,  instead  of   “MyDogSpot”  use  “MyD0g$p0t”.  

•  Change  your  password  at  least  every  60-­‐90   days.  


Secure  your  worksta/on  

•  Lock  your  computer  when  you  leave  your  work  area.  

•  Set  your  screensaver  to  automa:cally  start  ager  a  

few  minutes  of  inac:vity.  

–  Require  password  entry  to  deac:vate  screensaver.  

•  Do  not  store  wrimen  passwords.  

–  Passwords  stored  on  your  desk  or  monitor,  underneath  

keyboards  or  in  desk  drawers  are  not  secure!   •  Do  not  email  passwords.  

–  Informa:on  contained  in  emails  isn’t  encrypted  and  can  


Stay  informed  

•  Arm  yourself  with  informa:on:  

–  If  your  an:-­‐virus  vendor  offers  an  alert  no:fica:on  service,  subscribe  to  

it.    Check  other  vendors  to  see  if  they  have  an  alert  list  as  well.  Some   an:-­‐virus  developers  will  release  warnings  ahead  of  others;  therefore,   it  may  be  good  prac:ce  to  subscribe  to  a  number  of  lists.  

–  Symantec’s  Guide  to  Scary  Internet  Stuff  series  provides  useful  

informa:on  in  a  humorous  manner  (YouTube).    Topics  include:  

•  Phishing,  Botnets,  Underground  Economy,  Drive-­‐by  Downloads,  Misleading  

Applica:ons,  Net  Threats,    Losing  Your  Data,  etc.  

–  Microsog  offers  a  security  bulle:n  mailing  list  as  well.  Subscribing  to  

this  list  will  allow  you  to  stay  on  top  of  security-­‐related  patches  and   could  prevent  problems  such  as  falling  vic:m  to  known  amacks:  

•  hmp://­‐us/security/  

14   Sources:  h8p://­‐viruses-­‐and-­‐malicious-­‐code-­‐part-­‐two-­‐protecCon  and  


Mobile  Device  Security  

•  Never  leave  mobile  devices  unamended  in  a   public  area  such  as  a  restaurant  or  coffee  shop.  

•  Never  leave  mobile  devices  in  plain  view   through  the  windows  of  a  car.  

•  Use  device  locks  such  as  a  PIN/passcode  on   phones  or  tablets.  

•  Use  an:-­‐virus.  


More  Mobile  Device  Security  

Be  mindful  of  QR  codes.  

–  Scanning  a  QR  code  is  just  like  clicking  on  a  link!  

–  Just  like  a  link,  a  QR  code  can  be  used  for  malicious  purposes.  

–  Use  an  app  like  Norton  Snap  to  make  sure  they’re  legi:mate.  

–  When  in  a  store  or  restaurant,  make  sure  the  QR  code  you’re   about  to  scan  is  not  a  s:cker  and  is  actually  printed  on  the  item   or  marke:ng  material.  


More  Mobile  Device  Security  

Be  mindful  of  what  you  install.  

–  Make  sure  apps  are  from  reputable  sources.  

–  Check  permissions.  Are  they  appropriate  for  the  app  you’re   downloading?  

–  If  in  doubt,  ask  IT  for  guidance.  

Don’t  store  sensi:ve  data  on  your  mobile  devices.  

–  This  includes  laptops,  phones,  tablets  and  removable  storage   devices  like  USB  drives.  


Internet  Security  Best  Prac/ces  

•  While  on  the  Internet:  

–  Configure  your  computer  to  ask  before  installing  sogware,  and  do  not  

browse  the  web  while  logged  on  as  administrator.  

–  Social  networking  websites  do  not  verify  any  content  they  display,  so  

make  sure  you  trust  the  poster  before  viewing  videos  or  media  files  (many   contain  embedded  malicious  code).  

–  Avoid  using  “Remember  this  password”  for  websites.  

–  Free  music  and  file  sharing  programs  are  wide-­‐open  doors  for  hackers—

BitTorrent,  Kazaa,  P2P  (peer-­‐to-­‐peer).  

–  Before  you  ever  enter  sensi:ve  informa:on,  look  for  the  browser  lock  and  



Internet  Security  Best  Prac/ces  

•  Beware  of  malware  and  spyware:  

–  Sogware  could  be  installed  that  tracks  and  records  keystrokes,  mouse  

movements  and  clicks,  websites  visited  and  virtually  any  other  ac:vity   on  a  computer—including  your  bank  account  login  ID  and  password.  

–  Ever  get  pop-­‐ups  that  constantly  ask  for  you  to  click  OK  and  won’t  go  

away?    This  is  ogen  due  to  malicious  code.  

–  “Helpful”  toolbars?    Once  the  toolbar  program  is  installed,  it  could  

collect  anything  it  wants,  and  it’s  almost  impossible  to  remove—it  can   ogen  automa:cally  reinstall.  

–  If  you  suspect  malware  or  spyware,  contact  IT  for  assistance.  

•  And  be  careful  how  you  make  purchases:  

–  When  making  online  purchases,  always  use  a  credit  card,  which  


Email  Security  Best  Prac/ces  

•  Keep  personal  email  personal.  Use  work  email  only  for  work  purposes—

don’t  mix  them  up.  

•  Don’t  register  on  personal  websites  with  your  work  email.  

•  If  you  didn’t  expect  an  email,  don’t  open  it—check  with  the  sender  first.  

•  No  valid  source  will  ever  ask  for  your  password  –  contact  IT  immediately  if  

you  receive  an  email  reques:ng  your  login  creden:als.  

•  Never  open  amachments  from  unexpected  sources.  

•  Always  check  links  before  you  click  them!  


How  do  I  check  a  link  in  an  email?  

Hover  over  a  link  before  you  click  it:  

Some:mes  a  link  masks  the  website  to  which  it  links.    If  

you  hover  over  a  link  without  clicking  it,  you’ll  no:ce  the  

full  URL  of  the  link’s  des:na:on  in  your  browser.    For  

example,  both  of  these  links  connect  you  to  NCLM’s  

home  page  but  you  wouldn’t  know  it  without  hovering:  

Click  Here!





What  is  Phishing?  

•  “Phishing”  is  a  term  used  for  fraudulent  Internet  “scams”  that  

set  out  to  deceive  users  into  providing  personal  informa:on   that  ogen  is  used  for  iden:ty  theg.    It  stands  for  “password   fishing.”  

•  Phishing  emails  appear  to  be  from  a  well-­‐known  and  trusted  

company  that  are  sent  to  a  large  number  of  addresses.    It  may   direct  the  recipient  to  a  fraudulent  website  that  looks  exactly   like  the  real  website,  where  he/she  is  asked  for  personal   informa:on.  

•  Designed  to  get  data  from  users  without  their  knowledge.    

–  This  data  is  usually  sensi:ve  in  nature,  like  credit  card  informa:on,    

usernames  or  passwords.    

•  Phishing  emails  commonly  pretend  to  be  from  organiza:ons  

such  as  PayPal,  an  airline,  or  a  bank.  

22   Source:  h8p://    


What  does  a  phishing  email  look  like?  

Here’s  an  actual   phishing  email  sent   to  customers  of  

Barclay’s  bank  with  a   link  to  a  fraudulent   website.    No:ce  the   errors  –  this  is  a  

common  trait  of   phishing  emails:                         23  


How  do  I  keep  from  gePng  phished?  

•  The  most  powerful  weapons  against  phishing  are  

common  sense  and  the  following  rules:  

–  If  you  are  not  a  customer  of  the  site,  delete  the  email  

immediately.  Don´t  click  on  the  link  or  reply.  

–  If  you  are  a  customer  and  you  are  not  sure  if  the  email  

is  legit,  do  one  of  the  following:  

•  Contact  the  ins:tute  by  phone  or  contact  via  the  official  

website  (do  not  use  the  email  link  of  course)  and  ask  if  the   email  is  official.  

•  Instead  of  using  the  link  provided,  visit  the  website  by  typing  

in  the  official  URL.  The  site  should  have  news  about  the  email   on  their  Home  page.    If  not,  use  2A  to  verify  the  email.  

24   Source:  h8p://    


If  you  see  something  suspicious  at  work:  

Report  any  unusual  system  ac:vity  to  the  IT  Help  Desk.    

Do  not  inves:gate  the  incident  yourself—the  IT  Team  

will  lead  the  inves:ga:on.  

Never  amempt  to  “prove”  a  security  weakness.  

You  will  never  be  cri:cized  or  get  “in  trouble”  for  

repor:ng  something  that  you  feel  is  suspicious.    When  in  

doubt  –  report  it!  


Informa/on  Security  is  Everyone’s  Responsibility  

Security  is  NOT  merely  about  checking  boxes!  

The  intent  of  awareness  training  is   to  prevent  fraud,  protect  

customers  and  residents,  and   secure  our  data.    


Requirements  must  be  met,  but  the   goal  is  to  provide  robust  

informa:on  security  within  our   network.    




End-­‐User  Informa/on  Security  Awareness  Training  


Secure  Enterprise  Compu:ng  has  been  performing  network  and  applica:on  security   assessments  for  over  13  years.      


We  are  happy  to  help  you  with  any  and  all  compliance  efforts.    

Website:  hmp://­‐    

Phone:  919-­‐380-­‐7979    




Related subjects :