Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Security Awareness

No description
by

David Shepherd

on 19 November 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Security Awareness

You're the Target
"Social Engineering is the act of deceiving people into giving away access to confidential information such as passwords or member information"

"A skilled social engineer can circumvent all of our technical controls in a matter minutes if we allow it"

"Awareness of social engineering by all of us is one of our greatest security controls"
Social Engineering
Email Security
"85% of malware comes from the web with drive by downloads"

"30,000 sites are infected daily"

"80% of infected sites are legitimate"

-Sophos Labs
Internet Security
"Passwords are one of the weakest forms of security"

"123456 is the #1 most common password"

"password is the #1 most common base word"

-carousel30
Passwords
Workspace Security
Incident Response
Security Awareness
Secures data between your PC and another PC
Plain Text - "The account number is xxxxxx"
Cipher Text - "JGKDASOIREMVPSOKEIMISFF"
The Key - password, token, biometric
Anything digital can be encrypted
Encryption
How Social Engineering Works
How to Detect Social Engineering
How to Respond to Social Engineering
They will contact you:
Phone call
Email
In person
Establish a connection
Develop trust through a relationship
Requests for valid information
Request for confidential information
An uninitiated contact by a stranger
Quick talker who quickly becomes friends
Asks a lot questions
Stresses urgency
Asks for confidential information
Passwords, member info, company info, employee info, IT info, personal info, operations info, building info
Ask for their name and number
Ask for the name of a company contact
Verify their information
Verify with their contact if applicable
Verify with their company if applicable
Technology - Verify with IT
Operations, etc - Verify with supervisor
Sending Emails Securely
Don't use member info such as account numbers and social security numbers
Only use last 4 of account # to reference
Don't use personal information
Encryption
Types of Malicious Emails
Email Spoofing
Attachments
Links
Pictures
Scams
Phishing
Spear Phishing
Bad grammar and spelling
How to Respond to Malicious Emails
Did you initiate the email conversation?
Yes - Most likely legitimate but use caution
No - Most likely fake
Verify the sender with another communication means
Beware of links, attachments, and pictures
If in doubt call or email myself or anyone else in IT
"74% of email messages are spam"

"92% of malicious emails contain a web link"

"9% of data stealing attacks occur over email"

-Websense
HTTP vs HTTPS
Domain - www.cinfed.com
Correct:
http://www.cinfed.com
http://www.cinfed.com/rates
https://www.cinfed.com
Incorrect:
http://server231.com/cinfed
https://server231.com/cinfed
Understanding the URL
Never install add-ons unless it is a secure site required for work purposes
Never download files unless it is a secure site required for work purposes
Never download email attachments unless you were expecting an attachment
Downloading Files
At least 8 characters
Uppercase letters
Lowercase letters
Numbers
Symbols
No personal references
Example - "%28PluTo13%"
How to Create Your Password
A complete phrase
20-30 characters
Uppercase letters
Lowercase letters
Numbers
Symbols
No personal references
Example - "CaptainJack$parrowAndTheBlackPear1"
Convert a phrase into an acronym
At least 8 characters
Uppercase Letters
Lowercase letters
Numbers
Symbols
Example
"My son's birthday is January 22 2007"
"MsBiJ,22/2007"
Store in an encrypted file
Why It Works On Us
Strong Affect
Induce panic
Create an emergency situation
Overloading
Too much information too fast
Deceptive Relationships
Build a relationship and exploit it
Authority
Portray authority figure
Phishing
Key logging
Brute force
Wire tapping
Malware
Over the shoulder
Public PC
More...
How They Get Your Password
Lock your drawers
Lock your door if applicable
Clean desk
Shred documents with account numbers and other confidential information
Examine your workspace as a whole
Securing Your Workspace
Securing Your PC - Windows + L
Escort your visitor
Unknown Visitors
In person social engineering
Notify your supervisor
Ask for purpose, name, company, Cinfed contact
Verify with their Cinfed contact
Verify with their company if necessary
Visitors
Social engineering attempt
Malicious email
Internet security issue
Password compromise
Confidential data theft
What if you suspect:
Don't ignore or hide your suspicion
Notify your supervisor and contact anyone in IT quickly to mitigate any possible damage
React
Protect


Detect


React
Passphrase
Acronym
"90% People & Processes"

"10% Technology"
IT User Policy
External and Remote Access
Must be approved
No one else can use your connection
No pictures of your screen are allowed
Internet Access
During business hours for business use only
Limited personal use allowed during lunch, breaks, etc
All internet usage is monitored and logged
Don't transmit sensitive data over unencrypted connection
Only download files required for job duties
Only access appropriate sites
Phone System Usage
No sensitive information allowed over the phone unless the recipient has been verified
Reasonable and limited personal use is allowed
Passwords
Acceptable Use
Don't put any files you consider personal on the system
Files on the system are owned by the company
Reasonable and limited personal use is allowed during lunch, breaks, etc

Approved Hardware and Software
All hardware connected to the network must be approved
All software downloaded and installed must be approved
Digital Camera Usage
Don't take pictures of members, IT equipment, private branch areas, security systems, computer screens
Email Access and Use
Any sensitive data sent via email must be encrypted
Reasonable and limited personal use is allowed during lunch, breaks, etc
Email is monitored and logged
Messaging
Don't use external messaging systems such as Facebook and Twitter to contact members

Removable Media
Removable media such as CD's, DVD's, flash drives, cameras, and phones should not be connected to the PC's
Social Media
Do not share sensitive company info on social media
Do not mention members or employees in a negative context
Blogging
If you blog about an industry related topic use a disclaimer to announce your opinions are not affiliated with the company
Do no share sensitive info
Do not mention members or employees in a negative context

Electronic Device
Electronic devices must be authorized to access company data
Don't connect electronic devices to the company network
WIFI is provided at some branches for your convenience
Clean Desk
Sensitive information must be locked or stored securely
All sensitive documents must be shredded
Security Tokens
Security tokens must be stored in a secured area when unused
Privacy
All files and computer use can be monitored, don't store anything you wouldn't want someone else to see
Full transcript