0 Bewertungen0% fanden dieses Dokument nützlich (0 Abstimmungen)
245 Ansichten50 Seiten
The document summarizes key statistics from internet security breaches in 2013. It reports that there were over 2,000 incidents exposing more than 800 million records. The business sector accounted for over half of incidents and three quarters of exposed records. Hacking caused over half of incidents and exposed over 70% of records. The document also provides an overview of an information security awareness presentation, covering topics like threats, vulnerabilities, risks, and good security practices.
Originalbeschreibung:
IT security in everyday life
Audience: Non-IT Literate
Complexity Level: Low- Medium
The document summarizes key statistics from internet security breaches in 2013. It reports that there were over 2,000 incidents exposing more than 800 million records. The business sector accounted for over half of incidents and three quarters of exposed records. Hacking caused over half of incidents and exposed over 70% of records. The document also provides an overview of an information security awareness presentation, covering topics like threats, vulnerabilities, risks, and good security practices.
The document summarizes key statistics from internet security breaches in 2013. It reports that there were over 2,000 incidents exposing more than 800 million records. The business sector accounted for over half of incidents and three quarters of exposed records. Hacking caused over half of incidents and exposed over 70% of records. The document also provides an overview of an information security awareness presentation, covering topics like threats, vulnerabilities, risks, and good security practices.
A compromised computer is a hazard to everyone else too, not just to you. 2013, Internet Security breaches at a Glance There were 2,164 incidents reported through December 31, 2013 exposing 822 million records. A single hacking incident involving Adobe Systems exposed 152 million names, customer IDs, encrypted passwords, debit or credit card numbers and other information relating to customer orders. The Business sector accounted for 53.4% of reported incidents, followed by Government (19.3%), Medical (11.5%), Education (8.2%), and Unknown (7.6%). The Business sector accounted for 73.9% of the number of records exposed, followed by Unknown at 24.5%. 59.8% of reported incidents were the result of Hacking which accounted for 72.0% of exposed records. 4.8% of the reported incidents were the result of Web related attacks which accounted 16.9% of exposed records. 2013, Internet Security breaches at a Glance Breaches involving U.S. entities accounted for 48.7% of the incidents and 66.5% of the exposed records. Four 2013 incidents have secured a place on the Top 10 All Time Breach List. The number of reported exposed records tops 2.5 billion and the number of reported incidents tracked by Risk Based Security exceeded 11,200.
Sponsored by: Risk Based Security, February 2014 Open Security Foundation, February 2014 2013, Data Breach Quick View
Topics Covered Introduction to Information Security Information Security Policy Roles and Responsibility What are the Consequences of Security Violations CIA of Information Security Threats , Vulnerabilities and Risk Beware of Scams Good Security Practices Access Controls Internet Security Social Engineering Phishing Attacks Cookies Report a Security Incident
Introduction to Information Security
What is Information Security? Information Security (IS) The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. Information security is achieved through implementing technical, management, and operational measures designed to protect the confidentiality, integrity and availability of information. The goal of an IS program is to understand, manage, and reduce the risk to information under the control of the organization. CIA of Information Security There are three elements to protecting information Confidentiality Protecting information from unauthorized disclosure to people or processes Integrity Assuring the reliability and accuracy of information and IT resources Availability Defending information systems and resources from malicious, unauthorized users to ensure accessibility by authorized users CIA of Information Security Your bank ATM is a good example of an information system that must be confidential, integrity and have available. Imagine if your account was not kept confidential and someone else was able to access it when they approached the ATM. How much damage could be done? Imagine if every time you went to the ATM, the balance it displayed was inaccurate. How could the poor integrity of your balance information adversely affect your account management? Imagine if your banks ATM was rarely available when you needed it. Would you continue to use that bank?
Roles and Responsibilities Privacy policies and procedures require you to: Gather, use, and disclose information only for reasons that are for a legitimate job function, support the mission of OLP, and are allowed by law. Access information only for authorized purposes. Safeguard information in your possession, whether it be in paper or electronic format. Report suspected privacy violations or incidents. Proper deletion of documents containing significant information; NEVER place them in the trash. What are the consequences for security violations? Risk to security and integrity of personal or confidential information e.g. identity theft, data corruption or destruction, unavailability of critical information in an emergency, etc. Loss of valuable business information Loss of employee and public trust, embarrassment, bad publicity, media coverage, news reports Costly reporting requirements in the case of a compromise of certain types of personal and financial information Internal disciplinary action(s) up to and including termination of employment, as well as possible penalties, prosecution and the potential for sanctions / lawsuits Threats , Vulnerabilities and Risk Threats the potential to cause unauthorized disclosure, changes, or destruction to an asset. Impact: potential breach in confidentiality, integrity failure and unavailability of information Types: natural, environmental, and man-made
Vulnerabilities any flaw or weakness that can be exploited and could result in a breach or a violation of a systems security policy.
Risk the likelihood that a threat will exploit a vulnerability. For example, a system may not have a backup power source; hence, it is vulnerable to a threat, such as a thunderstorm, which creates a risk.
Threats Malicious Codes Virus A malicious program that secretly integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run. Worms A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network. Threats Trojan Horse This is a deceptive program that performs additional actions without the user's knowledge or permission. It does not replicate. Logic Bomb The logic bomb is a generic term for any type of malicious code that is waiting for a trigger event to release the payload. Threats Denial-of-Service Attacks Social Engineering Spywares Trackwares Rootkits
Beware of Scams Scams are increasingly sophisticated and use a variety of tactics, excuses and lies to convince you that it is a genuine request. Almost everyone will be approached by a scammer at some stage. Common types of scams include a surprise lottery win in the mail, email from your bank, the free holidays and guaranteed income scams.
Types of Scams (but not limited) Banking and online account Chain letters and pyramid Health and medical Identity theft Investment Job and employment Lottery and competition Money transfer Mobile phone Online Personalized Business Who are these guys ? Malicious Hackers White Hat Black Hat Grey Hat Elite Hacker Script Kiddie 1. Reconnaissance 2. Scanning 3. Gaining Access 4. Maintaining Access 5. Covering Tracks Attacking Methodology What Does This Mean for Me? This means that everyone who uses a computer or mobile device needs to understand how to keep their computer, device and data secure. Information Technology Security is everyones responsibility You are responsible for familiarizing yourselves and complying with related information security policies, procedures and standards. Good security practices Follow security SOPs / adhere controls Never share passwords or passphrases Keep antivirus updated Do not click random links Beware of email and attachments from unknown people Do not download unfamiliar software off the Internet Do not propagate virus hoaxes or chain mail Log out of or lock your computer / Shut down computers Remove unnecessary programs or services Restrict remote access
Good security practices Frequently back up important documents and files Treat sensitive data very carefully Remove data securely Deploy encryption whenever it is possible available Create a different password for each system or application Do not reuse passwords until six other passwords have been used
Access Controls A strong password for your network account and other applications is a basic protection mechanism. While it is tempting to create an easy or generic password that is easy to remember, it is not very secure.
Access Controls Two rules for stronger passwords: Create a password at least eight character in length. Password should contain at least one each Capital letter Lowercase letter Number Special character (%,^,*,?)
Access Controls Having trouble remembering passwords? Use a passphrase. Use the initials of a song or phrase to create a unique password Example: Take me out to the ballgame! becomes Tmo2tBG! Commit passwords to memory. If you are still having trouble, then write it down and keep it in a secure place, like your wallet. DO NOT keep passwords near your computer or on your desk Internet Security Cyber crime refers to any crime that involves a computer and a network. Offenses are primarily committed through the Internet Common examples of cyber crime include: Credit card fraud; Spam; and Identity theft.
Social engineering These individuals may look trust worthy, but in fact are sophisticated cyber criminals. They use social engineering techniques to obtain your personal information, access sensitive government information, and even steal your identity. Social engineering Social engineering is classically defined as the art of manipulating and exploiting human behavior to gain unauthorized access to systems and information for fraudulent or criminal purposes. Social engineering attacks are more common and more successful than computer hacking attacks against the network Social engineering Social engineering attacks are based on natural human desires like: Trust Desire to help Desire to avoid conflict Fear Curiosity Ignorance and carelessness Social engineering Social engineers will gain information by exploiting the desire of humans to trust and help each other. Phishing Attacks Spear phishing is an attack that targets a specific individual or business. The email is addressed to you and appears to be sent from an organization you know and trust, like a government agency or a professional association. Whaling is a phishing or spear phishing attack aimed at a senior official in the organization A cookie is a text file that a website puts on your hard drive that saves information that you typed in like preferences or user name. Cookies can also be used to track your activities on the web. Cookies pose a security risk because someone could access your personal information or invade your privacy.
Cookies Combat cookies Use cookies with caution. Confirm that web sites that ask for personal information are encrypted and the URL begins with https. Note that there is an inherent risk anytime you enter personal information on a web site.
Cookies Quiz: A hacked computer can be used to (select all that apply) 1. Record keystrokes and steal passwords. 2. Send spam and phishing emails. 3. Harvest and sell email addresses and passwords. 4. Access restricted or personal information on your computer 5. or other systems that you have access to. 6. Illegally distribute music, movies and software. 7. Distribute child pornography. 8. Infect other systems. 9. Generate large volumes of traffic, slowing down the entire system. ALL Report a Security Incident A computer security incident is any attempted or successful unauthorized access, disclosure, or misuse of computing systems, data or networks (including hacking and theft). You should: Preserve the evidence Remediation (if possible, run antivirus) Isolate the system Report to: To internet service providers OR Antivirus company OR Companys IT security department Other Essential Security Measures Keep in mind Make sure your computer is protected with anti-virus and all necessary security "patches" and updates, and that you know what you need to do, if anything, to keep them current. Do not keep sensitive information or your only copy of critical data on portable devices (laptops, CDs/DVDs, data sticks, PDAs, phones, etc.) unless they are properly protected.
Keep in mind Do not install unknown or unsolicited programs on computers. Such as programs you find out about through email. These can harbor behind-the-scenes computer viruses or open a "back door" giving others access to your computer without your knowledge. Make backup copies of data you are not willing to lose and store the copies very securely. Shut down, lock, log off of, or put your computer to sleep before leaving it unattended, and make sure it requires a password to start up or wake-up. Keep in mind Be careful when using wireless. Information sent via standard wireless is especially easy to intercept Do not connect to unknown wireless hot spots/access points if you're concerned about security or privacy (or your passwords) Set devices to "ask" before joining networks so you do not unknowingly connect to insecure wireless networks Be sure that automatic login and guest accounts are disabled on your computer. Always shut your computer down properly when you shut down; do not just turn off the power button or the monitor.
Keep in mind Secure laptop computers at all times: keep it with you or lock it up before you step away. At all times: in your office, at meetings, conferences, coffee shops, etc. Make sure it is locked to or in something permanent! Security Self-Test: Questions & Scenarios
Scenarios 1 1. You receive an e-mail with an attachment from "I.T. Security." The e-mail says that your computer has been infected with a virus and you need to open the attachment and follow the directions to get rid of the virus. What should you do? (Select all that apply) A. Follow the instructions ASAP to avoid the virus. B. Open the e-mail attachment to see what it says. C. Reply to the sender and say "take me off this list". D. Delete the message from the unknown source. E. Contact the IT Help Desk and ask about the email.
Scenarios 2 2. Which workstation security safeguards are YOU responsible for following and/or protecting? (Select all that apply) 1. User I.D. 2. Password 3. Log-off programs 4. Lock-up office or work area (doors, windows) 5. All of the above Scenarios 3 3. Someone used their gmail account at a cyber cafe. He made sure his gmail account was no longer open in the browser window before leaving the cafe. Someone came in behind and used the same browser to re-access his account. They started sending emails from it and caused all sorts of mayhem.
Question: What do you think might be going on here? Scenarios 4 4. You receive an email from your bank telling you there is a problem with your account. The email provides instructions and a link so you can log in to your account and fix the problem. What should you do? Scenarios 5 5. A while back, the IT folks got a number of complaints that one of our computers was sending out Spam. They checked it out, and the reports were true: a hacker had installed a program on the computer that made it automatically send out tons of spam email without the computer owner's knowledge.
Q: How do you think the hacker got into the computer to set this up?