Information Technology Security Training -Basic
This short discussion is designed to provide individuals that have access to information and information systems (IS) with the knowledge to identify potential risks and vulnerabilities along with ways to protect information and the information systems from internal and external threats
This short discussion will help increase your security awareness to ensure that your information and IS are protected and could fulfill the Office of Management and Budget (OMB) and Federal Information Security Management Act of 2002 (FISMA) requirements for security awareness training
After completing this short training course you should be able to:
Working @ Home
Malicious Code (Malware)
Sensitive But Unclassified (SBU) / Personally Identifiable Information (PII) / Health Insurance Portability and Accountability (HIPPA)
Scenario: Working @ Home
You are working from home today and logged into your company-provided computer
You access your personal email account
You open an email received from your sibling and it has an attachment entitled “PictureOfUsAsKids.jpg”
You opened the attachment to see what the photo was of you two but unfortunately the image did not contain anything
You got done checking personal email and got back to work
Returning to work the next day, you plug in the laptop into the company network and get to work
Hours later you are seeing alerts/announcements from IT staff that the networks have been corrupted
Unknowingly the attachment that you opened the previous day was not an image and was not sent from your sibling, it was malicious code that infected the computer without your knowledge.
When you plugged the laptop in the next day at the office the malicious code began to spread through the corporate network corrupting data as it traveled
Working from somewhere other than your office has tremendous benefits but also introduces additional security risks to the company’s information and network.
To protect the organization’s information and networks:
Security practices in “remote” locations must match or exceed security measures followed in the office
Employees should only use organization-authorized and approved devices
Be on guard and protect your mobile devices from loss or theft
Avoid leaving mobile devices in plain sight
Keep an eye on your laptop at all times (i.e. getting a coffee or going through airport security)
Malicious code OR Malware
Describes software that is purposely designed with the intent to deny, destroy, modify, or obstruct system configuration, programs, or data files
Common types of malicious code include viruses, Trojan horses, and worms
Morris worm of November 2, 1988 = first computer worm distributed via Internet
Built by graduate student at Cornell and launched from computers at MIT
Originally built to gauge the size of the Internet BUT via a software bug it would self-infect the machine it was on until the machine became unusable
Most common method for the spread of malicious code is through email attachments, downloading files from the Internet, or visiting an infected website that automatically downloads malicious code
Malware Prevention Tips
Keep all software, especially security software, updated and set to update automatically
Not clicking on links in emails or pop-up messages (use pop-up blocker)
Downloading and installing software only from websites you know and trust
Keeping browser security settings high enough to detect unauthorized downloads
Scanning all attachments before opening
Do not connect any unknown device into your machines (i.e. USB drive)
You are on your lunch break when you access your personal email.
You open an email that appeared to come from your bank, prompting you to login to your account and update your personal information before your account was closed down
You clicked on the link provided and at the “bank’s website” you entered your personal information
In reality, the website that you entered in your information into was an identical-looking website rather than the real website the bank authors up
You experienced a phishing attack and the fake website was created by cyber criminals to collect information for illegal gain
Phishing is a form of fraud in which the attacker tries to learn information such as login credentials, bank accounts, etc.. By masquerading as a reputable entity
In the old days hacking was performed on the telephone lines
The freaks who sat on phone lines to hack/research this phenomenon were considered Phreaks
Phone + Freaks = Phreaks
The migration to the WWW created a culture of Phreaks fishing for personal information
Phreaks + Fishing = Phishing
Cybercriminals will go to any length to obtain personal and/or sensitive information
Masquerading as a trustworthy entity in an email, phishing is a technique used to fool users into supplying sensitive information
Social Security Number
Credit Card Details
User Names or User IDs
The email will threaten dire consequences, claim you must update or validate information, or claim you won something.
The information cybercriminals obtain is used for fraud, identify theft, company espionage, etc
Cyber criminals can be extremely sophisticated in creating fake, but legitimate looking emails. Here are some additional tips to avoid phishing attacks:
Delete the email that asks you to confirm or provide personal information
Never email personal or financial information unless it is ENCRYPTED!!!
Encryption is the process of changing information into unreadable code so that if a file or email is compromised, the information will not be readable.
Public Key Infrastructure (PKI) users can securely send and receive encrypted or digitally signed data
Do not access the Internet by selecting links in emails
Type the web address manually into your browser window or use your bookmark for the known site
Contact the sender using a known telephone number
Never respond to an email that threatens to close your account or take some other action if you do not respond
Never open unsolicited email attachments without verifying source and scanning them
Falling victim to a phishing attack may cause personal and professional embarrassment, potential lawsuits and costly litigation
Get over being embarrassed!!!
At home, use trusted security software and set it to update automatically
Scenario:You are enjoying your early morning coffee at Starbucks when you glance at your watch and realize you are late
In a rush, you leave your smart phone on the table under the newspaper you were reading and didn’t notice it was missing until you got down to the next traffic light
You returned to Starbucks but the phone was gone and no one had turned it in
You were obviously concerned BUT more concerning was that you had personal information stored in the phone as well as company data
Worst of all, you had not been using any of the security features on the phone
Mobile Devices Policies
Ensure you have a solution for Data at Rest (DAR) encryption installed to protect the data on your laptop computer while it is powered off. Depending on the version installed, this software may be called Symantec PGP, Symantec Encryption Desktop or Symantec Drive Encryption.
Be extra vigilant when storing company data on mobile computing devices.
All mobile computing devices must comply with company policy.
Password protect mobile computing devices.
Never unplug mobile devices from a classified network and then connect them to the unclassified network, or vice-versa.
Follow company policies on mobile computing device use and encryption.
Use only approved mobile devices.
Encrypt all Sensitive but Unclassified (SBU) and Personally Identifiable Information (PII).
If lost or stolen, immediately report the loss to your Chief Information Security Officer (CISO), the Security Operations Center (SOC), and your local police department.
Set a password for your phone and voicemail. Passwords should be at least 8 characters long with a combination of letters, numbers and special characters.
Do not use public Wi-Fi at airports or coffee shops for accessing sensitive information. If possible use your phone carrier’s network or a virtual private network (VPN) connection instead.
Disable Bluetooth if you don’t use it (Blueborneexample)
Only install applications from legitimate vendors. As with computer applications, it is always a good idea to research any app and its vendor prior to installation.
Set your phone to auto-lock after 5 minutes of inactivity.
Do not click on text message links sent by anonymous senders. This is another form of phishing.
Do not Jailbreak your phone. Jailbreak –hacked phone so that you have unrestricted access to the entire file systemJailbreaking is common for iPhones, iPads. For android devices it is called “rooting”
Jailbreaking will remove security features on your phone which can expose you to data theft and loss of privacy.
Install the latest patch and operating system (OS) updates when they are available.
Backup your data and enable auto erase in case your phone is ever lost or stolen.
Leave your phone at home if you are traveling abroadPurchase a prepaid phone to make calls overseas (aka burner phone).
Many people plug their USB devices (e.g., USB drives, smartphones, tablets) into computers, televisions, stereos without thinking that they can be destructive.
Before opening a file, scan the device with anti-virus and anti-spyware software
Keep work information and personal information on separate USB drives to avoid corruption
It is always a good idea to use available security features on mobile devices, including your smartphone.
Using a secure, unique password is the best –and smartest –thing you can do to protect yourself and your data
Challenge for us all:Multiple sites I visit results in having multiple passwords … never use same password for more than one site
Use a password management tool (i.e. LastPass)
Use passphrase so that it is easier to remember
Selecting a secure password is easy if you create a passphrase. A passphrase is created using a memorable phrase, selecting the first letter of each word as your password, and then adding in numbers and symbols.
For example: The phrase “I pledge allegiance to the flag of the United States of America”Becomes the password: Ipa2tfotUS0A!
Password Best Practices:Passwords should never be shared with anyone –not even family members.
Passwords should not be written down and left in an unsecure location.
You should use a different password for each system (including personal non-work accounts).
Passwords should be strong, unique for each account, and difficult to guess. Consider using a passphrase that you can easily remember, but which is long enough to make password cracking more difficult.
Disable the feature that allows websites or programs to remember passwords.
Many online sites make use of password recovery or challenge questions. Your answers to these questions should be something that no one else would know or find from Internet searches, public records or social media. To prevent an attacker from leveraging personal information about yourself to answer challenge questions, consider providing a false answer to a fact-based question, assuming the response is unique and memorable.
Use two-factor authentication whenever it is offered for an added layer of protection
Cybercriminals also use social networking sites to gather information.
Whether we are using social media for official or personal use, it is our duty to use social networking tools in a responsible, safe, and sensible manner to protect mission objectives, program integrity, and data and reputation.
Personal information you share can be used to conduct attacks against you and/or your associates. The more information you share, the more likely someone can impersonate you and trick one of your friends into sharing personal information, downloading malware, or providing access to restricted sites.
Becoming “friend” with someone on social media … do you really know who that person is … the answer is NO for the majority of connectionsThe CIA Director’s information was compromised when befriended on social media site and after months of casual socialism the individual asked if he would review their resume for a job they were going to apply to
The Director opened up the “resume” and it happened to be malware
So social media can be used to create a sense of being a safe environment, a real group of friends
Unless the individual is actually your personal friend or family member, you actually do not know them so treat that accordingly!
SBU does not meet the criteria for Classified National Security Information (CNSI). SBU = “any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under Section 552a of Title 5, United States Code (the Privacy Act) but which has not been specifically authorized under criteria established by an Executive Order (EO) or an act of Congress to be kept secret in the interest of national defense or foreign policy.“
Personally Identifiable Information (PII) –information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individualGlobally recognized as highly sensitive unclassified information
Sensitive PII is an element or combination of elements of PII, which if lost, compromised, or disclosed inappropriately could be used to inflict harm, embarrassment, inconvenience, or unfairness to an individual.
Non-Sensitive PII is information that is available in public sources, the disclosure of which cannot reasonably be expected to result in personal harm or embarrassment.
Export Controlled Information (International Traffic and Arms Regulations (ITAR) or Export Administration Regulations (EAR) information) is information which may only be disseminated to U.S. Citizens and most often never be disseminated to Foreign Nationals
Handling Sensitive Information Don’t keep PII data on desktops or personal computers
Encrypt PII and SBU that is transmitted or downloaded and stored on any portable storage device that includes laptops (this is in addition to Data at Rest whole disk encryption), iPads, thumb drives, external hard drives, etc., or which is stored on any portable media such as CD, DVD or Magnetic Media, using established encryption procedures.
Encrypt all SBU and Sensitive PII email messages, including any attachments which contain PII or other SBU.
Ensure that all PII downloaded from any system is erased within 90 days unless it is still required or if it is an official record, in accordance with records management and disposal schedules.
Never assume the authority to “accept risks” associated with not fully completing all Federal requirements for assessing, managing and protecting PII, (i.e., conducting the IPTA, and /or Privacy Impact Assessment (PIA), required is to be completed before actively collecting any information from individuals at or on behalf of the company).
Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law designed to protect a subset of Sensitive Information known as Protected Health Information (PHI)
In 2009, HIPAA was expanded and strengthened by the HITECH Act (Health Information Technology for Economic and Clinical Health)
PHI –any information that can be used to identify a patient (living or deceased) that relates to the patient’s physical or mental health or condition, including healthcare services provided and payment for those services
Privacy Rule“Covered Entities” have a duty to protect PHI
A covered entity is any person or organization that furnishes, bills, or is paid for health care services
Individually identifiable health information collected or created by a covered entity is considered PHI
Security RuleHIPAA security concentrates on safeguarding PHI by focusing on the confidentiality, integrity, and availability of PHI
Organizations must have safeguards in place to protect the privacy of PHI