safe cyber hygiene for work and at home august 2017 cyber hygiene...grc 2017 cyber hygiene...

GRC 2017 Cyber Hygiene Presentation 8/9/17

© Bloustein Local Government Research Center, Rutgers University 1

NJGovernmentRecordsCouncilAnnualTrainingSeminar

August10,2017ByMarcPfeiffer,AssistantDirectorBlousteinLocalGovernmentResearchCenter

RutgersUniversity

SAFECYBERHYGIENEFORWORKANDATHOME



BOTTOMLINE▪ Criminalstrytomanipulatepeopleinto

divulgingpersonalorbusinessinformationortrickthemintoschemestodefraud

▪ Criminalscanbeindividualsorpartofindustrialized,cybercrimebusinesses

Nosinglefixsincethethreatskeepchanging;It’saperpetutalbattle



SomeCommonTerms

Malware

Destructiveformofcomputersoftwaretransmittedbyemailandwebsitelinks



Phishingaformofsocialengineeringthatappearsasemailoratextmessagethatattackersusetogainlogincredentialsoraccountinformation

Anditsevilcousin,thetargetedSpear-PhishorVish,usingvoicetofoolyou

WHYSHOULDICARE?

•60%ofemployeeswillclickaphishinglink

•30%ofthemwillactuallygiveuporganizationcredentials

•20%statedtheywouldselltheirorganizationalpassword

REALITY:thebulkofsuccessfulattackscomebecauseanemployeeclickedon

somethingtheyshouldn’thave



TypesofAttacksandThreats•TargetedAttacks

–Governmentagenciesaregenerallytargets–Italsohappensifsomethinggoeswrong

•MassAttacks–Thisstemsfromsuccessfulemailphishing,socialengineering,plus“bruteforce”attacksonnetworks

•Man-in-the-MiddleAttack:–Alinktoalog-insitethatlookslegit,butisfraudulentandwillstealyourcredentials

•Unsecurehumans–Clickingonthewronglink/openingthewrongfile–Anemployeewhostealsdataforresaleorillegaluse



PHISHINGEMAILSEXAMPLES

Phishingemailposesasanimportantemailfromatrustedorganization

– Anotificationfromthepostoffice,UPS,FedExshippinginformingtherecipientofadelivery

– Amessagefromautilityproviderorretaileraboutanoverduebill

– Analertabouttherecipient’staxreturn– Invoicesornoticesforgoodsandservices(Amazon,Costco)

– Fakecreditcardrewardschemes– Directionfromyouremployer,i.e.,needtolog-inbecauseyoulostsomepermission

Eachvariationreliesonourinstincttoactonmessagesthatappeartobeurgent



EMAILASSOURCEOFMALWARE?

- Embedded,butfakelinksenticeyoutoopenharmfulwebsites

- Spoofed“from”addresses

- Attachmentsthatareorhaveembeddedvirusesormalware(docx,xlsx,pptx,html,zip)- MSOfficedocumentscanhavemaliciousmacrosinthem

- Embeddedimagescontaininghiddencodeexposingyoutoharm

- Couponsandadvertisementswith“hiddenagendas”



REASONSFORCLICKING?

• CURIOSITY=34%

• METANEXPECTATION=27%

• INVESTIGATION=17%

• KNOWNSENDER=16%

• TRUSTINCONTEXT=11%

• FEAR=7%

• AUTOMATIC=3%

• Clickingonanattachmentoralinkembeddedinasuspiciousemaillaunchesaprogramthatencrypts(orrewrites)yourfiles



SOWHATHAPPENS?

• Thefilesareheldforransom;thehackerwhosenttheemailwillrequireapaymentfromyoubeforetheywill(hopefully)sendyouthekey(alineofcomputercode)thatdecryptsthefilesandrestorethem.

• Hopeyouhavebackupstorestoreyoursystem;otherwiseyoupay!

• Nowknowntohackersasavictimandwillbesubjecttofutureattacks



PROTECTYOURSELFFROMEVILEMAIL

•Learntohoverandreadlinks!

•Besuspiciousofunexpectedemails

•Donotopenattachmentsyouarenotexpecting:

• Confirmfirstwiththesenderifitlooksimportant

• Orjustdeleteit

• Alwaysbesuspicious(donotletyourguarddown)

• Ifitdoesn’tlookright,it’snotright

• Donotlogintoanaccountfromanemaillinkunlessyouverifyit’salegitemailandsite

• Neverunsubscribefromagroupthatyouareunfamiliarwithordidnotsubscribeto



“But,IThinkI’mSmartAboutThis”

• “Iknew,ifthiswassomethingdangerous,myNortonwouldprotectme”

• “IuseFirefoxandMacOS,soI’mnotafraidoftheviruses”

• “AfterIgoogledit,Photocloud.com seemedtobeacleanwebsite”

• “Igoogledtheemailaddress[…]Ifoundnothing”

• “Iconsiderourwebmailtobesafe”



• Asixcharacter,singlecasepassword= 308millionpossiblecombinations

• Combiningupperandlowercaseandusing8charactersinsteadof6=53trillion

• Substitutinganumberforoneofthelettersyields218trillion.

• Substitutingaspecialcharacter6,095trillion

HOWSTRONGISYOURPASSWORD?

• Usestrongpasswordsorbetteryetpass-phrases,donotusenames,dateofbirths,oranythingknownaboutyou

• Changethemperiodically• Donotsharepasswords!But,ifyoumustconsiderthat:

– Anythingthathappensonthataccountgetstreatedasifyoudidit

– Ifyoudoshareapassword,changeittosomethinggenericbeforeandbacktosomethingcomplexafter;orchangeitafterit’suse

• Useapersonalpasswordmanager

WhatThatMeanstoYou



SAFEWEBBROWSING



THEPROBLEMSWITHBROWSING

Thisisnotyourmother’sinternet!

Useofpasswordsoninsecurepages

Malwareloadedpages

Unexpectedpop-ups

HTTP

HTTPS



http://masterupdate.net/.....

If you are unsure about this type of pop-up, search for “flash update” and go to an adobe.com site to check. Don’t download from a pop-up that’s not from the adobe.com website.



No

No

Bewareoffreedownloadsfromcouponanddownloadsites– malwareoftenfollows!

Andwatchwhereyouclick!



• DONOTCLICKONsuspiciouspop-upsorunexpectedmessageswhenbrowsing!– Ifatwork,callIT;ifathome,closethewindowor,disconnect

fromnetwork

– Workiswork,nothome!

– Rememberyourwebbrowsingactivitiesaretracked(evenifyouclearthebrowserhistory)!

– DON’TCLICKonthatpop-up!

– Testapagebylookingatitfullsizeandthenshrinkingit.Ifitwon’tordoesn’t,closethebrowser!

SafeBrowsing@Workand@Home

• DON’TCALLthenumberonthescreen

• Thingsthataretoogoodtobetrue,aren’ttrue.Don’tclickonthemordeletethem

• Caughtinaloop?Shutdownandreboot

• StaySafe:Browsetrusted sites:• Knowtheaddress:HTTPvs.HTTPS,andnopasswordsonnon-https sites

• Usetwo-factorauthenticationwhenoffered• Don’tdownload“toolbars”orcleaners,unlessknownorcheckedout.Youprobablydon’tneedthem

KEEPYOURCOMPUTERUPTODATEKeepwindows,antivirus,andbrowser

updatedwithlatestversions



FormsofSocialEngineering

• In-person• Phone• Digital



BEWAREOF……phonecallersaskingforconfidentialemployeror

personalinformation,eveniftheyclaimtobefromIToravendor.ReferthemtoITsupportorhangup.

'Canyouhearme?'phonescamFauxtelemarketersaskingunwillingvictimstorespondwithasinglewordto"Canyouhearme?“Donotreplywith“yes”

Don’tclinkontextmessagelinksfromsomeoneyoudon’tknow

{ }



UNFORGETTABLES

• Donotlogonandoffacomputerwhenaskedbyanotheremployeeoroutsideperson–unlessidentityisverified

• CallerIDcanbe“spoofed”• Usetwo-factorauthenticationtransactionswheneveritsavailable

• FiscalandHRpeople:POSTIVELYconfirmallemaileddirectionsforanything(especiallyforpersonnelinformationandpaymentdirection)

• Usepasscodeonmobiledevices43



•Nosystemis100%perfect- sincethreatsarealwayschanging

•Stayaware:stop,think,thenconnect•CallyourITsupportpersonwhenindoubt•Athome:www.malwarebytes.org ifyougetinfected

UH,NOPE

PUTTINGITALLTOGETHER

• Don’tbecurious– justdon’tclick• Online;freeisneverfree• Besuspicious– hoverfirstandcheckitout• Ifyoudidn’taskforit,youdon’tneedit• Never openattachmentsfromunknownpeople• Don’tinstinctivelyopenfilesfrompeopleyouknowbutwerenotexpecting;checkwiththemfirst

• LockyourPCwhenawayfromyourdesk– “Ctrl+Alt+Del>Enter”or“Windows+L”

• Testyourself:searchfor“PewCybersecurityQuiz”• www.pewinternet.org/quiz/cybersecurity-knowledge/



Formoreinformationforworkorhomeorschool:www.stopthinkconnect.org



FORFURTHERDISCUSSION&COMMENTS

MarcPfeiffer,AssistantDirectorBlousteinLocalGovernmentResearchCenterBlousteinSchoolofPlanningandPublicPolicyRutgersUniversityMarc.Pfeiffer@rutgers.edu

• TechnologyRiskManagementPapersat:– http://blousteinlocal.rutgers.edu/managing-technology-risk/

• Orsearchfor“BlousteinTechnologyRisk”

ANDNOW…SOMEWORDSABOUTTECHNOLOGY

RISKSANDPROFICIENCY



Categoriesof

TechnologyRisk

Cyber-security

Financial

Opera-tional

Legal

Reputa-tional

Societal

THREEELEMENTSOFPROFICIENCY

Technology Management

Cyber Hygiene

Technical Competency

• Governance- decisions• Planning– whattodo• Budgeting– howtofund

• Employeetraining• Adoptedpolicies• EncryptionofPIIandPHI

• Meetsminimumstandards• Accesstoexpertise• Incidentresponseplans



MINIMUMACCEPTABLELEVELS:TECHNICALCOMPETENCY

MinimumBackupPractices

TimelySoftwarePatching

StrongDefensiveSoftware

ServerPhysicalSecurity

AccessPrivilegeControls

TechnologySupport

MINIMUMACCEPTABLELEVEL:SOUNDCYBERHYGIENE

Employeetraining

Policies:Email,Internet,Password

ProtectPIIandPHI

Passwordstrength



MINIMUMACCEPTABLELEVEL:TECHNOLOGYMANAGEMENT

Leadershiphasaccesstotechexpertise

Incidentresponseplans

safe cyber hygiene for work and at home august 2017 cyber hygiene...grc 2017 cyber hygiene...

Documents