0-WISP Old Station ~ Security Slides.pdf
Document Details
Uploaded by OldStationSupply
2019
Tags
Related
- Network Security Fundamentals Exam 212-82 PDF
- Gramm-Leach-Bliley Act (GLBA) & GDPR PDF
- CCF-Session-1-v4-Regular-2023-lec-clsu-1 PDF - Information Security Fundamentals
- Lecture 1 - Part I(1) (2) - Cybersecurity Fundamentals PDF
- Information Assurance and Security PDF
- Legal and Privacy Issues in Information Security PDF (Chapter 1)
Full Transcript
Information Security Nuts & Bolts: Why does it matter to me? Developed by : Chris Wisneski 2019 Whittlesey Technology Today’s Presenters Chris Wisneski • Over 20 years of technology and leadership experience Manager, IT Security and Assurance Services Whittlesey Technology • Areas of experti...
Information Security Nuts & Bolts: Why does it matter to me? Developed by : Chris Wisneski 2019 Whittlesey Technology Today’s Presenters Chris Wisneski • Over 20 years of technology and leadership experience Manager, IT Security and Assurance Services Whittlesey Technology • Areas of expertise include IT audit, SOC 1 and 2 audits, Cybersecurity, Risk Assessments, IT General Controls, Information Security, Networks, Regulatory Compliance, FDICIA and SMB [email protected] 860.524.4434 2 Agenda Massachusetts Data Privacy Act Social Engineering • • Emerging trends How to protect ourselves Cybersecurity Best Practices • • • Password Complexity Public WiFi hotspots Mobile Device Security 3 Massachusetts Data Privacy Act Massachusetts Data Privacy Act (MA - 201 CMR 17.00) • In effect on March 1, 2010 o Revised and Effective April 11, 2019 • Who does it apply to? • Defines Personally Identifiable Information (PII) o Social Security Number o Driver’s License Number o State Identification Card Number o Financial Account Number, credit or debit card number • Assesses stiff fines to companies that are breached and subsequently don’t comply with the law 4 Massachusetts Data Privacy Act Massachusetts Data Privacy Act Requirements • Written Information Security Program (WISP) • Designating one or more employees to maintain the program (such as a an Information Security Coordinator or a Privacy Officer) • Vendor Management Program • Incident Response Plan • Security Awareness Program • Breach reporting within 90-days of finding breach 5 What are Social Engineering Attacks? Remote • Phishing Emails - email that attempts to trick you into clicking on a link, opening an attachment, or giving up your credentials • Vishing Phone Calls - phone call that from someone impersonating a client or vendor to obtain confidential information On-site • Baiting – enticing users to plug in infected media like USB drives, CD-ROMs, etc • Social Engineering for physical access – gaining physical access to restricted areas by taking advantage of trusting employees o Tailgating o Impersonation 06 Detecting and Avoiding Phishing Attacks Check the sender address for misspellings Take notice of inconsistent language or strange formatting Manually review email header information for clues Call to confirm 07 Misspelled Sender Addresses 08 Strange Formatting or Inconsistent Language 09 Detecting and Avoiding Vishing Attacks Check the originating phone number Be wary of automated calls Call back confirmation NEVER give out confidential information unless you’re absolutely sure of who you are talking to Spam calls rose over 22% in the last 12 months On average, Americans reported receiving 23 spam calls (mobile and/or landline) in the last 12 months 1 in every 10 American adults (10%) lost money from a phone scam in the past 12 months with nearly half (46%) of those who have ever been scammed reporting they’ve been a victim more than once With an average loss of $357 per victim, the result of these scams is projected to have cost 24.9 million Americans approximately $8.9 billion* in total losses. 10 Detecting and Avoiding Baiting Attacks Never plug in unknown devices into your network • Create written policy within WISP Ensure antivirus is up-to-date to prevent malware from executing Use software to restrict reading of portable drives by workstations on the corporate network • Through third party security software • Through Group Policy 11 Detecting and Avoiding Physical Social Engineering Attacks Have a sign-in process Use guest badges Check credentials of people you don’t know Escort visitors 12 Public WiFi Am I Safe? • • • • Phony rogue networks set up specifically by cyber criminals Man-in-the-middle attacks where hackers commandeer a public WiFi network and redirect users, often to a phony login site where their credentials are stolen Wireless sniffer tools that locate unsecured public WiFi networks, analyze their packets, and steal data, monitor network activity, or gather intel for use in a future attack against the enterprise’s network Having your device infected by a worm on another user’s device that travels through the public WiFi network 13 Public WiFi How Can I Protect Myself? • • • • • • Use a Virtual Private Network (VPN) o Hotspot Shield or NordVPN Use Secure Connections o Configure browser to ‘always uses HTTPS’ connections Don’t Access Anything Sensitive Turn Off Automatic Connectivity Turn Off Bluetooth Turn off airdrop and file sharing 14 Mobile Device Security Why Do I Care? • • • Android platform has over 300,000 vulnerabilities iOS (Apple) has approximately 1651 Trend Micro reported that it had over 235,000 detections for ransomware targeted at Android platforms in April of 2017 15 Mobile Device Security How Can I Protect Myself? • • • • • • Regularly Update the Operating System and Apps Use Relevant Built-in Security Features o Find My iPhone or Find My Device (Android or Google) o Built in Encryption Use Strong Passwords or Biometrics Install an Antivirus Application Avoid Turning On AutoFill on your device Utilize a Mobile Device Management (MDM) solution 16 New NIST Password Standards What is NIST? • National Institute of Standards and Technology • Cybersecurity Framework Version 1.1 (April 16, 2018) • Framework for security standards for large and small companies and organizations across all industry sectors, as well as by federal, state and local governments 17 New NIST Password Standards Wait for it…wait for it… • • • • 12 character minimum length Passphrases are encouraged o For example, ‘elatedraccoon’ or ‘dogsandcatsplay’ Allow complexity, but not required* Abolishing password expirations altogether? 18 Password Strength Statistics 19 ASSURANCE | ADVISORY | TAX | TECHNOLOGY Headquarters 280 Trumbull Street, 24th Floor Hartford, CT 06103 860.522.3111 One Hamden Center 2319 Whitney Avenue, Suite 2A Hamden, CT 06518 203.397.2525 14 Bobala Road, 3rd floor Holyoke, MA 01040 413.536.3970 WAdvising.com