safe cyber hygiene for work and at home august 2017 cyber hygiene...grc 2017 cyber hygiene...
TRANSCRIPT
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 1
NJGovernmentRecordsCouncilAnnualTrainingSeminar
August10,2017ByMarcPfeiffer,AssistantDirectorBlousteinLocalGovernmentResearchCenter
RutgersUniversity
SAFECYBERHYGIENEFORWORKANDATHOME
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 2
BOTTOMLINE▪ Criminalstrytomanipulatepeopleinto
divulgingpersonalorbusinessinformationortrickthemintoschemestodefraud
▪ Criminalscanbeindividualsorpartofindustrialized,cybercrimebusinesses
Nosinglefixsincethethreatskeepchanging;It’saperpetutalbattle
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 3
SomeCommonTerms
Malware
Destructiveformofcomputersoftwaretransmittedbyemailandwebsitelinks
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 4
Phishingaformofsocialengineeringthatappearsasemailoratextmessagethatattackersusetogainlogincredentialsoraccountinformation
Anditsevilcousin,thetargetedSpear-PhishorVish,usingvoicetofoolyou
WHYSHOULDICARE?
•60%ofemployeeswillclickaphishinglink
•30%ofthemwillactuallygiveuporganizationcredentials
•20%statedtheywouldselltheirorganizationalpassword
REALITY:thebulkofsuccessfulattackscomebecauseanemployeeclickedon
somethingtheyshouldn’thave
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 5
TypesofAttacksandThreats•TargetedAttacks
–Governmentagenciesaregenerallytargets–Italsohappensifsomethinggoeswrong
•MassAttacks–Thisstemsfromsuccessfulemailphishing,socialengineering,plus“bruteforce”attacksonnetworks
•Man-in-the-MiddleAttack:–Alinktoalog-insitethatlookslegit,butisfraudulentandwillstealyourcredentials
•Unsecurehumans–Clickingonthewronglink/openingthewrongfile–Anemployeewhostealsdataforresaleorillegaluse
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 6
PHISHINGEMAILSEXAMPLES
Phishingemailposesasanimportantemailfromatrustedorganization
– Anotificationfromthepostoffice,UPS,FedExshippinginformingtherecipientofadelivery
– Amessagefromautilityproviderorretaileraboutanoverduebill
– Analertabouttherecipient’staxreturn– Invoicesornoticesforgoodsandservices(Amazon,Costco)
– Fakecreditcardrewardschemes– Directionfromyouremployer,i.e.,needtolog-inbecauseyoulostsomepermission
Eachvariationreliesonourinstincttoactonmessagesthatappeartobeurgent
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 7
EMAILASSOURCEOFMALWARE?
- Embedded,butfakelinksenticeyoutoopenharmfulwebsites
- Spoofed“from”addresses
- Attachmentsthatareorhaveembeddedvirusesormalware(docx,xlsx,pptx,html,zip)- MSOfficedocumentscanhavemaliciousmacrosinthem
- Embeddedimagescontaininghiddencodeexposingyoutoharm
- Couponsandadvertisementswith“hiddenagendas”
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 8
REASONSFORCLICKING?
• CURIOSITY=34%
• METANEXPECTATION=27%
• INVESTIGATION=17%
• KNOWNSENDER=16%
• TRUSTINCONTEXT=11%
• FEAR=7%
• AUTOMATIC=3%
• Clickingonanattachmentoralinkembeddedinasuspiciousemaillaunchesaprogramthatencrypts(orrewrites)yourfiles
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 9
SOWHATHAPPENS?
• Thefilesareheldforransom;thehackerwhosenttheemailwillrequireapaymentfromyoubeforetheywill(hopefully)sendyouthekey(alineofcomputercode)thatdecryptsthefilesandrestorethem.
• Hopeyouhavebackupstorestoreyoursystem;otherwiseyoupay!
• Nowknowntohackersasavictimandwillbesubjecttofutureattacks
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 10
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 11
PROTECTYOURSELFFROMEVILEMAIL
•Learntohoverandreadlinks!
•Besuspiciousofunexpectedemails
•Donotopenattachmentsyouarenotexpecting:
• Confirmfirstwiththesenderifitlooksimportant
• Orjustdeleteit
• Alwaysbesuspicious(donotletyourguarddown)
• Ifitdoesn’tlookright,it’snotright
• Donotlogintoanaccountfromanemaillinkunlessyouverifyit’salegitemailandsite
• Neverunsubscribefromagroupthatyouareunfamiliarwithordidnotsubscribeto
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 12
“But,IThinkI’mSmartAboutThis”
• “Iknew,ifthiswassomethingdangerous,myNortonwouldprotectme”
• “IuseFirefoxandMacOS,soI’mnotafraidoftheviruses”
• “AfterIgoogledit,Photocloud.com seemedtobeacleanwebsite”
• “Igoogledtheemailaddress[…]Ifoundnothing”
• “Iconsiderourwebmailtobesafe”
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 13
• Asixcharacter,singlecasepassword= 308millionpossiblecombinations
• Combiningupperandlowercaseandusing8charactersinsteadof6=53trillion
• Substitutinganumberforoneofthelettersyields218trillion.
• Substitutingaspecialcharacter6,095trillion
HOWSTRONGISYOURPASSWORD?
• Usestrongpasswordsorbetteryetpass-phrases,donotusenames,dateofbirths,oranythingknownaboutyou
• Changethemperiodically• Donotsharepasswords!But,ifyoumustconsiderthat:
– Anythingthathappensonthataccountgetstreatedasifyoudidit
– Ifyoudoshareapassword,changeittosomethinggenericbeforeandbacktosomethingcomplexafter;orchangeitafterit’suse
• Useapersonalpasswordmanager
WhatThatMeanstoYou
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 14
SAFEWEBBROWSING
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 15
THEPROBLEMSWITHBROWSING
Thisisnotyourmother’sinternet!
Useofpasswordsoninsecurepages
Malwareloadedpages
Unexpectedpop-ups
HTTP
HTTPS
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 16
http://masterupdate.net/.....
If you are unsure about this type of pop-up, search for “flash update” and go to an adobe.com site to check. Don’t download from a pop-up that’s not from the adobe.com website.
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 17
No
No
Bewareoffreedownloadsfromcouponanddownloadsites– malwareoftenfollows!
Andwatchwhereyouclick!
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 18
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 19
• DONOTCLICKONsuspiciouspop-upsorunexpectedmessageswhenbrowsing!– Ifatwork,callIT;ifathome,closethewindowor,disconnect
fromnetwork
– Workiswork,nothome!
– Rememberyourwebbrowsingactivitiesaretracked(evenifyouclearthebrowserhistory)!
– DON’TCLICKonthatpop-up!
– Testapagebylookingatitfullsizeandthenshrinkingit.Ifitwon’tordoesn’t,closethebrowser!
SafeBrowsing@Workand@Home
• DON’TCALLthenumberonthescreen
• Thingsthataretoogoodtobetrue,aren’ttrue.Don’tclickonthemordeletethem
• Caughtinaloop?Shutdownandreboot
• StaySafe:Browsetrusted sites:• Knowtheaddress:HTTPvs.HTTPS,andnopasswordsonnon-https sites
• Usetwo-factorauthenticationwhenoffered• Don’tdownload“toolbars”orcleaners,unlessknownorcheckedout.Youprobablydon’tneedthem
KEEPYOURCOMPUTERUPTODATEKeepwindows,antivirus,andbrowser
updatedwithlatestversions
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 20
FormsofSocialEngineering
• In-person• Phone• Digital
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 21
BEWAREOF……phonecallersaskingforconfidentialemployeror
personalinformation,eveniftheyclaimtobefromIToravendor.ReferthemtoITsupportorhangup.
'Canyouhearme?'phonescamFauxtelemarketersaskingunwillingvictimstorespondwithasinglewordto"Canyouhearme?“Donotreplywith“yes”
Don’tclinkontextmessagelinksfromsomeoneyoudon’tknow
{ }
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 22
UNFORGETTABLES
• Donotlogonandoffacomputerwhenaskedbyanotheremployeeoroutsideperson–unlessidentityisverified
• CallerIDcanbe“spoofed”• Usetwo-factorauthenticationtransactionswheneveritsavailable
• FiscalandHRpeople:POSTIVELYconfirmallemaileddirectionsforanything(especiallyforpersonnelinformationandpaymentdirection)
• Usepasscodeonmobiledevices43
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 23
•Nosystemis100%perfect- sincethreatsarealwayschanging
•Stayaware:stop,think,thenconnect•CallyourITsupportpersonwhenindoubt•Athome:www.malwarebytes.org ifyougetinfected
UH,NOPE
PUTTINGITALLTOGETHER
• Don’tbecurious– justdon’tclick• Online;freeisneverfree• Besuspicious– hoverfirstandcheckitout• Ifyoudidn’taskforit,youdon’tneedit• Never openattachmentsfromunknownpeople• Don’tinstinctivelyopenfilesfrompeopleyouknowbutwerenotexpecting;checkwiththemfirst
• LockyourPCwhenawayfromyourdesk– “Ctrl+Alt+Del>Enter”or“Windows+L”
• Testyourself:searchfor“PewCybersecurityQuiz”• www.pewinternet.org/quiz/cybersecurity-knowledge/
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 24
Formoreinformationforworkorhomeorschool:www.stopthinkconnect.org
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 25
FORFURTHERDISCUSSION&COMMENTS
MarcPfeiffer,AssistantDirectorBlousteinLocalGovernmentResearchCenterBlousteinSchoolofPlanningandPublicPolicyRutgersUniversityMarc.Pfeiffer@rutgers.edu
• TechnologyRiskManagementPapersat:– http://blousteinlocal.rutgers.edu/managing-technology-risk/
• Orsearchfor“BlousteinTechnologyRisk”
ANDNOW…SOMEWORDSABOUTTECHNOLOGY
RISKSANDPROFICIENCY
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 26
Categoriesof
TechnologyRisk
Cyber-security
Financial
Opera-tional
Legal
Reputa-tional
Societal
THREEELEMENTSOFPROFICIENCY
Technology Management
Cyber Hygiene
Technical Competency
• Governance- decisions• Planning– whattodo• Budgeting– howtofund
• Employeetraining• Adoptedpolicies• EncryptionofPIIandPHI
• Meetsminimumstandards• Accesstoexpertise• Incidentresponseplans
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 27
MINIMUMACCEPTABLELEVELS:TECHNICALCOMPETENCY
MinimumBackupPractices
TimelySoftwarePatching
StrongDefensiveSoftware
ServerPhysicalSecurity
AccessPrivilegeControls
TechnologySupport
MINIMUMACCEPTABLELEVEL:SOUNDCYBERHYGIENE
Employeetraining
Policies:Email,Internet,Password
ProtectPIIandPHI
Passwordstrength