ict security is everyone's business

www.iita.orgA member of CGIAR consortium

“ICT Security is Everyone’s Business”

Presented by

Adeoluwa Modupe


Outline

Preambles Terms of referenceIssues IdentifiedJustification


INTRODUCTION

What is Computer Security?

- protection - confidentiality, - integrity - availability -computing systems and the data that they store or

access.


Security refers to the degree of protection against danger, damage, loss and crime.

Can refer to physical media, financial transactions, computer hardware, data, application, email, information and network security.

Terms of reference


Sources that call for interest

• Internet • Exchange of information on Network

within an organization• Files • Server


RISKS AND REMEDYInternet sitese.g. Social Networking sitesOn-line ScamsInformation SecurityPersonal computers


Social Networking sitesHackingMalicious applications that are

suggested for inclusion/update


Hacking• Sites such as Facebook, Tweeter,

LinkedIn, MySpace ask users to create profiles of themselves in order to help build links with friends and family.

• Anyone with a link to one of your friends, or friend friend could potentially access the information held on your page


Malicious Applications• Don’t respond to friend request from

people that you don’t recognise

• Check applications before installing them

• Call ICT helpdesk


Phishing• Use of e-mail purporting to be from banks or other

companies such as utilities to fool people

• The e-mail generally claims to be part of security check. The URL used in the mail disguises the true location of the sites.

• The destination pages are designed to look like the genuine site.

• For example First Bank or GTB


Pharming• The “Troj/BankAsh-virus” is the latest attack

which divert people visiting legitimate bank websites to fake domain addresses owned by criminals.

• Unlike phishing, which relies on the user clicking on a link to a bogus websites

•


On-line Scams

• Never reply to phishing emails –once asking you to confirm your bank details.

• Never open email from people unknown to you.

• Personal information of your finances must be deleted from your emails


• Who is a target?• Who is responsible for

protection?• How is protection done?• What are the issues

involved (computer, communication network, files, file systems, structures)

Files /Information

Systems

Network/ Communication

Global

Protection Layers- 4 layers


Social engineering(Hacking the mind!)

• The hack that requires no knowledge of code.

• Social engineering is the art of manipulating/tricking people so they give up confidential information

• Accounts for an estimated 90% of security breaches.

• Everyone is a target and be vigilantly aware of anyone asking for personal or private information.


Social Engineering (Contd.)• Criminals can only succeed if they obtain your secret

security information such as a PIN number or password.

• No bank will ever ask you for your full PIN or password when identifying you over the phone or online.

• If asked to call back the number on the back of the card; use another phone line or wait a few minutes before using the same phone again.


Social Engineering - Can lead to Identity Theft

• WHAT IS IDENTITY THEFT? • It occurs when someone steals your

personal information – e.g., credit card or Personal Identification number – and uses it fraudulently.

• When your private financial information gets into the wrong hands, the consequences can be devastating.


How to minimize the risk of becoming a victim of identity theft

• Practice Safe Internet Use. • keep your anti-virus software up-to-date. Delete spam emails that

ask for personal information. • Shop online only with secure web pages (check the bottom of your

browser for an image of a lock or look for “https” in the address bar).• Never send credit card numbers and other personal information via

email.• Regularly check your credit card statements.

• Destroy Private Records Tear up or shred credit/debit card, ATM and bank deposit statement/receipts.


Social Engineering - Password Phishing

• Phishing is a form of social engineering that attempts to obtain your username and password.

• Downloading unknown attachments could be dangerous

• Check the sender (trusted e.g. @cgiar.org)• Check any web link (trusted links)• Check hyperlink is the same as the web link• Does the “feel” of the email seem right?• If in doubt contact US! (Helpdesk x2255)


What makes a good password?

PasswordLength

Comparative time to Crack* Depends on currently available processing speeds.

Character Set a-z plus upper case (A-Z)

plus numbers plus symbols

Set size 26 52 96

6 Seconds Minutes Few Minutes

7 Seconds Minutes Hours

8 Minutes Days Many months

9 Hours Year Years

A balance between “hackable” password and “easy-to-remember”


Password Policy• Change every 180 days. • Must be at least 8 characters from at least

three of the following sets:• Lower case letters a-z• UPPER CASE LETTERS A-Z• Numerics 0-9• Special characters (!"# $%& ' *+, -./ : ;<=>?@

[\]^_` {|}~ )• If you feel your password has been

compromised change it immediately.


How to change your password• CTL-ALT-DEL and select change a

password• Windows


How to change your password

• If outside of Ibadan you can use webmail.

• In OWA.IITA.ORG: Go to options, change password


Examples of false password change requests (Phishing)


Social Engineering - Phishing Attempts


Social Engineering - Phishing attempts


Email – genuine examples

• Email box nearly full• Quota on server full• Spam filter• Bank update


Email – box full


Email - Spam filter


Other security issues

• If sharing a folder specify who is allowed to access it. Otherwise anyone can read or possibly delete the information.

• Be careful when downloading and installing software from the internet. Many links especially to anti malware and anti-virus sites are 419.


Other security issuesOpendns blocks many malware sites


Other security issues• Lock your screen when leaving the office• (use CTRL-ALT-DEL and select lock this

computer) • Do not paste your password near your computer


Other security issues• Wireless SSID broadcasts• Be aware which wireless networks you are

connecting to, especially if carrying out bank transactions.


Why Backups• Systems do crash• Media failures• Hard disks fail• USB sticks stolen


Backups

• Keep any backup separate from your computer• Copy all your files• To a mixture of• Network storage (Drive U:)• External hard disk• Removable media (Flash)• Cloud


Cyber security: The DOs

• If unclear about any aspect of cyber security, call helpdesk

• Change password if suspicious it may have been compromised

• Keep antivirus and software up to date• Comply with the institutes acceptable usage / user

policy• Beware of the risks of using unsecured(open)

wireless networks in public places• Know that cyber security is relevant to YOU and

begins with you.


Cyber security: The DON’Ts

• Don’t disclose your password to anyone• Don’t send unauthorized bulk email (Spam)• Don’t leave your computer unlocked when not in

use• Don’t leave hard copies of confidential information unsecured• Don’t give unauthorized access to your system or institutes

information


Summary• Security depends on all of us

90/10 rule:• 10% of security safeguards are technical• 90% rely on the computer user adhering to good

computer practices• Beware of phishing attempts• Passwords are to be changed regularly• Beware of clicking on untrusted web sites• Backup, backup and backup your data!


ICT Help contacts• Helpdesk: EXT.2255

• Email:[email protected]

• Skype: IITAhelpdesk

• Office: Bld500 Rm 221 upper floor


THANK YOUMerci pour votre attention


?

ict security is everyone's business

Government & Nonprofit