|
Topics Covered Why Security? Liability Privacy Concerns
|
tarix | 30.10.2018 | ölçüsü | 0,65 Mb. | | #76742 |
|
Information Security – Creating Awareness, Educating Staff, and Protecting Information
Topics Covered
Why Security? Liability Privacy Concerns Copyright Violations Identity Theft Resource Violations Reputation Protection Meet Expectations Laws & Regulations
Understanding Threats What is valuable? What is vulnerable? What can we do to safeguard and mitigate threats? What can we do to prepare ourselves? Most believe they will win lottery before getting hit by malicious code
Protecting Information like: Social Security Number Drivers license number Insurance numbers Passwords and PIN’s Banking information
Terminology Hackers - white hat
- grey hat
- black hat
DOS & DDOS 1337 (Leet) speak Warez Script kiddies
Spyware & Adware (Scumware) Spyware-Applications that monitor activity without express permission Adware-Applications that monitor activity with express permission
SPAM & SPIM SPAM- SPIM- SPAM has come to Instant Messaging - Uncontrolled viewing (pop-up windows)
- Bot generated
Phishing Phishing is a computer scam that uses SPAM, SPIM & pop-up messages to trick us into disclosing private information (Social Security Number, Credit Cards, banking data, passwords, etc) - Often sent from someone that we “trust” or are in some way associated with us
- Appears to be a legitimate website
- Embedded in links emails & pop-up message
- Phishing emails often contain spyware designed to give remote control to our computer or track our online activities
Passwords - At least 7 characters
- Mixture of upper and lowercase characters
- Mixture of alpha and numeric characters
- Don’t use dictionary words
Keep passwords safe Change them often Don’t share or reuse passwords Two-factor authentication
Social Engineering Social Engineering is the art of prying information out of someone else to obtain access or gain important details about a particular system through the use of deception
Email and chat are sent in clear text over the Internet Data can easily be captured and read by savvy computer users and systems administrators Safeguards should be put into place prior to using these programs for sending/receiving sensitive information like Social Security Numbers
Enhance Our Work Area Security Secure workstations - Lock our systems (Ctrl-Alt-Delete)
- Shut down
- Run up to date virus scanning software
- Password protect files
- Apply software patches
- Install cable locks
- Run a desktop firewall
Is Our Data Being Backed Up? Test backups Securely store backup media (offsite) Restrict access to who can perform restoration
Equipment Disposal What happens to old computer when they are replaced? Do those systems contain sensitive information? Several programs to securely remove data from computer systems are commercially available
Data Recovery
Dumpster Diving We never know who is looking in our trash Shred sensitive documents Secure shred barrels, and make sure that proper handling procedures are in place
Access Rights Only allow access that is absolutely required Don’t grant accounts based on the fact that access “may” be required Use least privilege access policies that state access will only be granted if required, not by default Are accounts removed and passwords changed when someone changes jobs or is terminated? Perform audits
Physical Security Who has access? Are sensitive documents secured?
Emerging Threats Wireless Technology Memory Devices-iPod, USB Keys, Coke cans, etc Camera phones P2P File Sharing
Incident Response Do you know what to do and who to contact if a security breach occurs?
Recent News
Creating Awareness Educate staff - Train staff
- Document processes and outline expectations
Research potential candidates - Perform background & credit checks
Track system changes - Audit system access
- Audit system changes
Create & communicate policies: - Define document and system disposal processes
- Define backup procedures
- Define clean work area policies
- Define computer usage policies
Be Aware Report anything “strange” Don’t give private information out Properly dispose of sensitive information Run up to date virus protection & software Ask questions
Useful Links National Cyber Security Alliance http://www.staysafeonline.info/ National Institute of Standards and Technology: http://csrc.nist.gov/sec-cert/ Recent News - High Profile Computer Compromise
- High Profile Computer Compromise
A lot of Schools have great security resource pages, for example UC Davis and the University of Iowa websites: http://security.ucdavis.edu/security101.cfm http://cio.uiowa.edu/itsecurity/
Some various applications mentioned in the presentation* Email Security - PGP http://www.pgp.com
- Instant Messaging Security
- Simp http://www.secway.fr/products/all.php?PARAM=us,text
- Adware & Spyware Removal Applications
- Ad-aware http://www.lavasoftusa.com/software/adaware/
- Spybot http://www.safer-networking.org/en/download/
Secure File Deletion - Secure Delete http://www.sysinternals.com/ntw2k/source/sdelete.shtml
System Disposal - Secure Hard Drive cleaning http://www.accessdata.com/Product07_Overview.htm
Sample Policies Developing Security Policy - http://www.sans.org/rr/papers/50/919.pdf
Acceptable Use - http://www.sans.org/resources/policies/Acceptable_Use_Policy.pdf
Questions? Please fill out the session evaluations & thank you for attending this session
Dostları ilə paylaş: |
|
|