Security Training PDF
Document Details
Uploaded by Deleted User
2023
Tags
Summary
This document is a security training presentation. It covers topics such as information security, email security, and password security. The presentation uses visual aids and bullet-points to deliver the content.
Full Transcript
Security Training What is security ? Security refers to the practice of protecting people, property, information, and systems from threats and unauthorized access. In the context of information technology and business, security is about ensuring the confidentiali...
Security Training What is security ? Security refers to the practice of protecting people, property, information, and systems from threats and unauthorized access. In the context of information technology and business, security is about ensuring the confidentiality, integrity, and availability of data and resources. Security Principles (Diagram illustrating the three pillars) ○ Information security # Exotel © 2023 |All rights reserved General Security Measures Physical Security Clean Desk Policy Destroy information before disposing it Collect your printouts /faxes immediately Terminate active sessions or log off when finished. Attend visitors in Reception only and ensure they are escorted by employees/authorized personnel if they need to access non-public areas. Acceptable usage Policy Social Engineering Psychological manipulation of people into performing actions or divulging confidential information Such attacks start by building trust over phone, email or social media. Remember that ○ Little bits of info can snowball. ○ Attackers will claim to be a new employee to get info. ○ Human nature is to want to help others. ○ Confirm any request via another channel. # Exotel © 2023 |All rights reserved Password Security Maintain different credentials per service. Hackers know it’s hard to keep up with multiple passwords. If they get one, they will use it against other services hoping to gain additional access. Avoid over-simplified or very short passwords. Use longer passwords composed of standard words that you can remember or the first letter in a sentence or phrase. The longer the password, the more difficult to crack Password Management Avoid writing passwords down or keeping them in an insecure text file or document. Email is not a password management system. Never email your password to anyone (including yourself). A password management utility is one option for storing personal passwords. Many exist that work on desktops and mobile devices. These encrypt your passwords and many will also help you generate complex passwords. # Exotel © 2023 |All rights reserved Email Security Email is one of the most common and most successful attacks on the internet. Recent statistics cite up to 90% of successful attacks against businesses begin with a malicious email. Emails can contain malicious files like virus and malware, link to malicious websites, or try to coerce or convince you to give away personal information, like your username and password. Cybercriminals using email to attack businesses are becoming more and more effective at evading detection – technology alone is only marginally effective at blocking these new email threats. # Exotel © 2023 |All rights reserved Email Do's and Don'ts Do’s Don’ts Always verify the sender of a message. Open an attachment from an unknown Always hover over web page links (URLs) in email sender. messages to see where they link to – beware URL Consider the source and whether or not shortening services (like bit.ly) that may obscure the final the file was expected. web site destination. Click on a link from an unknown Be skeptical of messages with odd spelling/grammar, sender. improper logos or that ask you to upgrade or verify your Email someone your username or account. password. Report suspicious emails to the information security team Email Thread Example Phishing Viruses and Malware Email Spoofing Disguising as a trustworthy entity Use of attachments to spread Using an email address that mimics viruses or other malicious software a trusted party # Exotel © 2023 |All rights reserved Phishing Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. (Wikipedia - https://en.wikipedia.org/wiki/Phishing ) Common phishing scams attempt to use coercion or scare tactics to get you to enter your username and password into a phony website, such as: ○ A “required action” as a part of a system or quota upgrade ○ A “required action” to prevent email account closure ○ A “trusted” vendor, such as a fake Dropbox or Google alert ○ A “legitimate” banking alert Once they have your password, phishers use your account credentials to send more phishing messages, change financial account information or redirect checks/deposits Spear Phishing Phishing campaigns don't target victims individually—they're sent to hundreds, sometimes thousands, of recipients. Spear phishing, in contrast, is highly targeted and targets a single individual. Hackers do this by pretending to know you. It's personal. A phishing campaign is very broad and automated, think 'spray and pray'. It doesn't take a lot of skill to execute a massive phishing campaign. Most phishing attempts are after things like credit card data, usernames and passwords, etc. and are usually a one-and-done attack. Spear phishing requires advanced hacking techniques and a great amount of research on their targets. Spear phishers are after more valuable data like confidential information, business secrets, and things of that nature. # Exotel © 2023 |All rights reserved Viruses and Malware Cybercriminals also use attachments to spread viruses or other malicious software (malware) to steal or destroy data. Malware can install keyloggers to capture everything you type, control your webcam/microphone, or send all of your data to remote servers that the criminal controls. The attachment typically arrives as Word, Excel or PDF file and has to be opened before the malware triggers. Malware will take advantage of unpatched software. Some Word/Excel malware require you to enable Macros – always be suspicious of an attachment that requests you to “lower” your security settings when opening. Safe Web Browsing Keep your browser software version up-to-date. Keep any browser plugins up-to-date; especially Adobe Flash and Java, as these are targeted frequently. Hover over URLs and links. Make use of pop-up and ad blockers. Be aware of where Google or other web searches are sending you. Be careful when downloading software from the internet. If a website requests user information of any kind, make sure that website is using HTTPS. Look for the padlock or other indicators that the page is secure, such as a site that begins with https:// # Exotel © 2023 |All rights reserved Ransomware Ransomware is a new type of malware that encrypts documents, pictures and other files, making them unreadable. The attacker then holds the decryption key for ransom until you agree to pay money, usually through an untraceable method such as BitCoin or other digital currency. Ransomware assumes that you’ll pay to recover your files – if you back them up regularly, you have no need to pay the ransom. Physical security of your computer Lock your computers Set your screen to auto Beware of shoulder before stepping away lock after a period of surfing from it inactivity (less than 2 minutes please) (sarang update this) Especially when using a computer in a public place like coffee shops and airports # Exotel © 2023 |All rights reserved Example of Threads # Exotel © 2023 |All rights reserved Confidentiality of Customer Data Our customer share their data with us, and depend on us to keep this data safe, secure and inaccessible from unauthorized people. In order to protect their data, it is first important to identify such data. Data Classification Data classification provides a way to categorize data processed by our organisation, its software and systems, based on levels of sensitivity. The purpose of this policy is to establish a framework for classifying data based on its sensitivity, value and criticality to the organization. By understanding what data types are available, classification and access levels, you can map the appropriate access/protection of the data. This ensures that sensitive corporate and customer data can be secured appropriately. We classify data into the following types Public Company confidential Customer Confidentials Personal Data # Exotel © 2023 |All rights reserved Simple things to remember Do not share any No company data customer data outside Ask if you’re unsure! on personal devices of the company No customer data Be mindful of how on company/work you handle data. devices # Exotel © 2023 |All rights reserved Further Reading Stay Safe Online – National Cyber Security Alliance https://www.staysafeonline.org The Cybersecurity and Infrastructure Security Agency (CISA) https://www.cisa.gov/uscert FTC Privacy, Identity & Online Security https://consumer.ftc.gov/identity-theft-andonline-security/online-privacy-and-security SANS Cyber Security Awareness https://www.sans.org/apac/ # Exotel © 2023 |All rights reserved Thank You