eac session eac session

7/24/2019 Eac Session Eac Session

1/28

Information Security Creating Awareness,Educating Sta, and

Protecting Information

Session 46

Chris Aidan, CISSP

Information Security Manager

Pearson


2/28

2

Topics Covered

Data Privacy

Spyware & Adware

SPAM & SPIMPhishing

Passwords

Social EngineeringEmail & Chat Services

Securing or!stations

Data "ac!ups

E#uipment DisposalData $ecovery DemoData DisposalAccess $ightsPhysical SecurityEmerging %hreats

Incident $esponse

Creating Awarenessuestions'seful (in!s


3/28

3

Why Security?

(ia)ility

Privacy Concerns

Copyright *iolations

Identity %heft

$esource *iolations

$eputation Protection

Meet E+pectations

(aws & $egulations


4/28

4

Understanding Threats

hat is valua)le

hat is vulnera)le

hat can we do to safeguard and

mitigate threats

hat can we do to prepare ourselvesMost )elieve they will win lottery )efore

getting hit )y malicious code


5/28

5

Protecting Information li!e-

Social Security .um)erDrivers license num)erInsurance num)ersPasswords and PI./s

"an!ing information

Keep Sensitive Data Private


6/28

6

Terminology

0ac!ers1

white hat1 grey hat

1 )lac! hat

D2S & DD2S

3445 6(eet7 spea!

are8

Script !iddies


7/28 7

Spyware & Adware

Scumware!

Spyware9Applications that monitor

activitywithout

e+press permissionAdware9Applications that monitor

activity withe+press permission

1$ead the E'(A


8/28 8

SPA" & SP#"

SPAM9

1 :un! emailSPIM9 SPAM has come to Instant

Messaging

1 'ncontrolled viewing 6pop9up windows71 "ot generated


9/28 9

Phishing

Phishingis a computer scam that usesSPAM, SPIM & pop9up messages to tric! us

into disclosing private information 6SocialSecurity .um)er, Credit Cards, )an!ing data,passwords, etc71 2ften sent from someone that we ;trust< or are in

some way associated with us

1Appears to )e a legitimate we)site1 Em)edded in lin!s emails & pop9up message1 Phishing emails often contain spyware designed to

give remote control to our computer or trac! ouronline activities


10/28 10

Select a good one1At least 5 characters

1 Mi+ture of upper and lowercase characters

1 Mi+ture of alpha and numeric characters

1 Don/t use dictionary words

=eep passwords safe

Change them often

Don/t share or reuse passwords

%wo9factor authentication

Passwords


11/28 11

Social $ngineering

Social Engineering is the art of pryinginformation out of someone else to

o)tain access or gain important details

a)out a particular system through the

use of deception


12/28 12

$mail & Chat Services

Email and chat are sent in clear te+t over the

Internet

Data can easily )e captured and read )y

savvy computer users and systems

administrators

Safeguards should )e put into place prior tousing these programs for sending>receiving

sensitive information li!e Social Security

.um)ers


13/28 13

$nhance %ur Wor Area

Security

Secure wor!stations

1 (oc! our systems 6Ctrl9Alt9Delete7

1 Shut down

1 $un up to date virus scanning software

1 Password protect files

1Apply software patches1 Install ca)le loc!s

1 $un a des!top firewall


14/28 14

#s %ur Data 'eing

'aced Up?

%est )ac!ups

Securely store )ac!up media 6offsite7$estrict access to who can perform

restoration


15/28 15

$(uipment Disposal

hat happens to old computer when

they are replacedDo those systems contain sensitive

information

Several programs to securely removedata from computer systems are

commercially availa)le


16/28 16

Data )ecovery

DEMO


17/28 17

Dumpster Diving

e never !now who is loo!ing in our

trashShred sensitive documents

Secure shred )arrels, and ma!e sure

that proper handling procedures are inplace


18/28 18

Access )ights

2nly allow access that is a)solutely re#uiredDon/t grant accounts )ased on the fact that

access ;may< )e re#uired'se least privilege access policies that state

access will only )e granted if re#uired, not )ydefault

Are accounts removed and passwordschanged when someone changes ?o)s or isterminated

Perform audits


19/28

19

Physical Security

ho has access

Are sensitive documents secured


20/28

20

$merging Threats

ireless %echnology

Memory Devices9iPod,

'S" =eys, Co!e cans, etc

Camera phones

P@P ile Sharing


21/28

21

#ncident )esponse

Do you !now what to do and who to

contact if a security )reach occurs


22/28

22

)ecent *ews


23/28

23

Creating Awareness

Educate staff1 %rain staff

1 Document processes and outline e+pectations

$esearch potential candidates1 Perform )ac!ground & credit chec!s

%rac! system changes1 Audit system access

1 Audit system changes

Create & communicate policies-1 Define document and system disposal processes

1 Define )ac!up procedures

1 Define clean wor! area policies

1 Define computer usage policies


24/28

24

'e Aware

$eport anything ;strange>wwwBstaysafeonlineBinfo>

.ational Institute of Standards and %echnology-

http->>csrcBnistBgov>sec9cert>

$ecent .ews0igh Profile Computer Compromise

0igh Profile Computer Compromise

A lot of Schools have great security resource pages, for e+ample'C Davis and the 'niversity of Iowa we)sites-

http->>securityBucdavisBedu>security33Bcfm

http->>cioBuiowaBedu>itsecurity>
http://www.staysafeonline.info/http://news.com.com/Hacker+strikes+university+computer+system/2100-7349_3-5418388.html?tag=cd.tophttp://news.com.com/Hacker+strikes+university+computer+system/2100-7349_3-5418388.html?tag=cd.tophttp://www.staysafeonline.info/


26/28


27/28

27

Sample Policies

Developing Security Policy

1http->>wwwBsansBorg>rr>papers>H>3Bpdf

Accepta)le 'se

1 http->>wwwBsansBorg>resources>policies>Acc

epta)leG'seGPolicyBpdf


28/28

28

.uestions?

Please fill out the session evaluations & than! you forattending this session

eac session eac session

Documents