Awareness Program

Presented by: Muhammad Moiz Uddin

A compromised computer is a
hazard to everyone else too,
not just to you.
2013, Internet Security breaches at a Glance
There were 2,164 incidents reported through December 31, 2013 exposing
822 million records.
A single hacking incident involving Adobe Systems exposed 152 million
names, customer IDs, encrypted passwords, debit or credit card numbers
and other information relating to customer orders.
The Business sector accounted for 53.4% of reported incidents, followed by
Government (19.3%), Medical (11.5%), Education (8.2%), and Unknown
(7.6%).
The Business sector accounted for 73.9% of the number of records exposed,
followed by Unknown at
24.5%.
59.8% of reported incidents were the result of Hacking which accounted for
72.0% of exposed records.
4.8% of the reported incidents were the result of Web related attacks
which accounted 16.9% of exposed records.
2013, Internet Security breaches at a Glance
Breaches involving U.S. entities accounted for 48.7% of the
incidents and 66.5% of the exposed records.
Four 2013 incidents have secured a place on the Top 10 All
Time Breach List.
The number of reported exposed records tops 2.5 billion and
the number of reported incidents tracked by Risk Based
Security exceeded 11,200.


Sponsored by:
Risk Based Security, February 2014
Open Security Foundation, February 2014
2013, Data Breach Quick View

Topics Covered
Introduction to Information Security
Information Security Policy
Roles and Responsibility
What are the Consequences of Security Violations
CIA of Information Security
Threats , Vulnerabilities and Risk
Beware of Scams
Good Security Practices
Access Controls
Internet Security
Social Engineering
Phishing Attacks
Cookies
Report a Security Incident

Introduction to
Information Security

What is Information Security?
Information Security (IS) The protection of information and
information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction in order to
provide confidentiality, integrity, and availability.
Information security is achieved through implementing
technical, management, and operational measures designed
to protect the confidentiality, integrity and availability of
information.
The goal of an IS program is to understand, manage, and
reduce the risk to information under the control of the
organization.
CIA of Information Security
There are three elements to protecting
information
Confidentiality Protecting information from
unauthorized disclosure to people or processes
Integrity Assuring the reliability and accuracy of
information and IT resources
Availability Defending information systems and
resources from malicious, unauthorized users to
ensure accessibility by authorized users
CIA of Information Security
Your bank ATM is a good example of an
information system that must be confidential,
integrity and have available.
Imagine if your account was not kept confidential and
someone else was able to access it when they
approached the ATM. How much damage could be
done?
Imagine if every time you went to the ATM, the
balance it displayed was inaccurate. How could the
poor integrity of your balance information adversely
affect your account management?
Imagine if your banks ATM was rarely available when
you needed it. Would you continue to use that bank?

Roles and Responsibilities
Privacy policies and procedures require
you to:
Gather, use, and disclose information only for reasons
that are for a legitimate job function, support the
mission of OLP, and are allowed by law.
Access information only for authorized purposes.
Safeguard information in your possession, whether it
be in paper or electronic format.
Report suspected privacy violations or incidents.
Proper deletion of documents containing significant
information; NEVER place them in the trash.
What are the consequences for
security violations?
Risk to security and integrity of personal or confidential
information
e.g. identity theft, data corruption or destruction, unavailability of critical information in
an emergency, etc.
Loss of valuable business information
Loss of employee and public trust, embarrassment, bad
publicity, media coverage, news reports
Costly reporting requirements in the case of a compromise of
certain types of personal and financial information
Internal disciplinary action(s) up to and including termination
of employment, as well as possible penalties, prosecution and
the potential for sanctions / lawsuits
Threats , Vulnerabilities and Risk
Threats the potential to cause unauthorized disclosure, changes,
or destruction to an asset.
Impact: potential breach in confidentiality, integrity failure
and unavailability of information
Types: natural, environmental, and man-made

Vulnerabilities any flaw or weakness that can be exploited and
could result in a breach or a violation of a systems security policy.

Risk the likelihood that a threat will exploit a vulnerability.
For example, a system may not have a backup power source;
hence, it is vulnerable to a threat, such as a thunderstorm,
which creates a risk.

Threats
Malicious Codes
Virus
A malicious program that secretly integrates itself into
program or data files. It spreads by integrating itself
into more files each time the host program is run.
Worms
A standalone malicious program which uses computer
or network resources to make complete copies of
itself. May include code or other malware to damage
both the system and the network.
Threats
Trojan Horse
This is a deceptive program that performs additional
actions without the user's knowledge or permission. It
does not replicate.
Logic Bomb
The logic bomb is a generic term for any type of
malicious code that is waiting for a trigger event to
release the payload.
Threats
Denial-of-Service Attacks
Social Engineering
Spywares
Trackwares
Rootkits

Beware of Scams
Scams are increasingly sophisticated and use a
variety of tactics, excuses and lies to convince
you that it is a genuine request.
Almost everyone will be approached by a
scammer at some stage. Common types of
scams include a surprise lottery win in the
mail, email from your bank, the free holidays
and guaranteed income scams.

Types of Scams (but not limited)
Banking and online account
Chain letters and pyramid
Health and medical
Identity theft
Investment
Job and employment
Lottery and competition
Money transfer
Mobile phone
Online
Personalized
Business
Who are these guys ?
Malicious Hackers
White Hat
Black Hat
Grey Hat
Elite Hacker
Script Kiddie
1. Reconnaissance 2. Scanning
3. Gaining Access
4. Maintaining Access
5. Covering Tracks
Attacking Methodology
What Does This Mean for Me?
This means that everyone who uses a
computer or mobile device needs to
understand how to keep their computer,
device and data secure.
Information Technology Security is everyones responsibility
You are responsible for familiarizing yourselves
and complying with related information
security policies, procedures and standards.
Good security practices
Follow security SOPs / adhere controls
Never share passwords or passphrases
Keep antivirus updated
Do not click random links
Beware of email and attachments from unknown people
Do not download unfamiliar software off the Internet
Do not propagate virus hoaxes or chain mail
Log out of or lock your computer / Shut down computers
Remove unnecessary programs or services
Restrict remote access

Good security practices
Frequently back up important documents and files
Treat sensitive data very carefully
Remove data securely
Deploy encryption whenever it is possible available
Create a different password for each system or application
Do not reuse passwords until six other passwords have been
used


Access Controls
A strong password for your network account
and other applications is a basic protection
mechanism.
While it is tempting to create an easy or
generic password that is easy to remember, it
is not very secure.

Access Controls
Two rules for stronger passwords:
Create a password at least eight character in
length.
Password should contain at least one each
Capital letter
Lowercase letter
Number
Special character (%,^,*,?)

Access Controls
Having trouble remembering passwords? Use a
passphrase.
Use the initials of a song or phrase to create a
unique password
Example: Take me out to the ballgame!
becomes Tmo2tBG!
Commit passwords to memory. If you are still
having trouble, then write it down and keep it in
a secure place, like your wallet.
DO NOT keep passwords near your computer or
on your desk
Internet Security
Cyber crime refers to any crime that involves a
computer and a network. Offenses are
primarily committed through the Internet
Common examples of cyber crime include:
Credit card fraud;
Spam; and
Identity theft.

Social engineering
These individuals may look trust
worthy, but in fact are
sophisticated cyber criminals.
They use social engineering
techniques to obtain your
personal information, access
sensitive government
information, and even steal
your identity.
Social engineering
Social engineering is classically defined as the
art of manipulating and exploiting human
behavior to gain unauthorized access to
systems and information for fraudulent or
criminal purposes.
Social engineering attacks are more common
and more successful than computer hacking
attacks against the network
Social engineering
Social engineering attacks are based on
natural human desires like:
Trust
Desire to help
Desire to avoid conflict
Fear
Curiosity
Ignorance and carelessness
Social engineering
Social engineers will gain information by exploiting the
desire of humans to trust and help each other.
Phishing Attacks
Spear phishing is an attack that targets a
specific individual or business. The email is
addressed to you and appears to be sent from
an organization you know and trust, like a
government agency or a professional
association.
Whaling is a phishing or spear phishing attack
aimed at a senior official in the organization
A cookie is a text file that a website puts on
your hard drive that saves information that
you typed in like preferences or user name.
Cookies can also be used to track your
activities on the web.
Cookies pose a security risk because someone
could access your personal information or
invade your privacy.

Cookies
Combat cookies
Use cookies with caution.
Confirm that web sites that ask for personal
information are encrypted and the URL begins
with https.
Note that there is an inherent risk anytime
you enter personal information on a web site.

Cookies
Quiz: A hacked computer can be used
to (select all that apply)
1. Record keystrokes and steal passwords.
2. Send spam and phishing emails.
3. Harvest and sell email addresses and passwords.
4. Access restricted or personal information on your computer
5. or other systems that you have access to.
6. Illegally distribute music, movies and software.
7. Distribute child pornography.
8. Infect other systems.
9. Generate large volumes of traffic, slowing down the entire
system.
ALL
Report a Security Incident
A computer security incident is any attempted or successful
unauthorized access, disclosure, or misuse of computing
systems, data or networks (including hacking and theft).
You should:
Preserve the evidence
Remediation (if possible, run antivirus)
Isolate the system
Report to:
To internet service providers
OR
Antivirus company
OR
Companys IT security department
Other Essential Security Measures
Keep in mind
Make sure your computer is protected with
anti-virus and all necessary security "patches"
and updates, and that you know what you
need to do, if anything, to keep them current.
Do not keep sensitive information or your only
copy of critical data on portable devices
(laptops, CDs/DVDs, data sticks, PDAs, phones,
etc.) unless they are properly protected.

Keep in mind
Do not install unknown or unsolicited programs on
computers.
Such as programs you find out about through email.
These can harbor behind-the-scenes computer viruses or
open a "back door" giving others access to your computer
without your knowledge.
Make backup copies of data you are not willing to lose
and store the copies very securely.
Shut down, lock, log off of, or put your computer to
sleep before leaving it unattended, and make sure it
requires a password to start up or wake-up.
Keep in mind
Be careful when using wireless.
Information sent via standard wireless is especially easy to
intercept
Do not connect to unknown wireless hot spots/access
points if you're concerned about security or privacy (or
your passwords)
Set devices to "ask" before joining networks so you do not
unknowingly connect to insecure wireless networks
Be sure that automatic login and guest accounts are
disabled on your computer.
Always shut your computer down properly when you
shut down; do not just turn off the power button or
the monitor.

Keep in mind
Secure laptop computers at all times: keep it
with you or lock it up before you step away.
At all times: in your office, at meetings,
conferences, coffee shops, etc.
Make sure it is locked to or in something
permanent!
Security Self-Test: Questions &
Scenarios

Scenarios 1
1. You receive an e-mail with an attachment from
"I.T. Security." The e-mail says that your
computer has been infected with a virus and you
need to open the attachment and follow the
directions to get rid of the virus. What should
you do? (Select all that apply)
A. Follow the instructions ASAP to avoid the virus.
B. Open the e-mail attachment to see what it says.
C. Reply to the sender and say "take me off this list".
D. Delete the message from the unknown source.
E. Contact the IT Help Desk and ask about the email.

Scenarios 2
2. Which workstation security safeguards are
YOU responsible for following and/or
protecting? (Select all that apply)
1. User I.D.
2. Password
3. Log-off programs
4. Lock-up office or work area (doors, windows)
5. All of the above
Scenarios 3
3. Someone used their gmail account at a cyber
cafe. He made sure his gmail account was no
longer open in the browser window before
leaving the cafe. Someone came in behind and
used the same browser to re-access his account.
They started sending emails from it and caused
all sorts of mayhem.

Question: What do you think might be going on
here?
Scenarios 4
4. You receive an email from your bank telling
you there is a problem with your account.
The email provides instructions and a link so
you can log in to your account and fix the
problem. What should you do?
Scenarios 5
5. A while back, the IT folks got a number of
complaints that one of our computers was
sending out Spam. They checked it out, and the
reports were true: a hacker had installed a
program on the computer that made it
automatically send out tons of spam email
without the computer owner's knowledge.

Q: How do you think the hacker got into the
computer to set this up?