0-WISP Old Station ~ Security Slides.pdf

Full Transcript

Information Security
Nuts & Bolts:
Why does it matter to me?
Developed by :
Chris Wisneski 2019
Whittlesey Technology

Today’s Presenters

Chris Wisneski

•

Over 20 years of technology and leadership experience

Manager, IT Security and Assurance Services
Whittlesey Technology

•

Areas of expertise include IT audit, SOC 1 and 2 audits,
Cybersecurity, Risk Assessments, IT General Controls,
Information Security, Networks, Regulatory
Compliance, FDICIA and SMB

[email protected]
860.524.4434

2

Agenda

Massachusetts Data Privacy Act

Social Engineering
•
•

Emerging trends
How to protect ourselves

Cybersecurity Best Practices
•
•
•

Password Complexity
Public WiFi hotspots
Mobile Device Security

3

Massachusetts Data Privacy Act

Massachusetts Data Privacy Act (MA - 201 CMR 17.00)
•

In effect on March 1, 2010
o Revised and Effective April 11, 2019

•

Who does it apply to?

•

Defines Personally Identifiable Information (PII)
o Social Security Number
o Driver’s License Number
o State Identification Card Number
o Financial Account Number, credit or debit card number

•

Assesses stiff fines to companies that are breached and
subsequently don’t comply with the law

4

Massachusetts Data Privacy Act

Massachusetts Data Privacy Act Requirements
•

Written Information Security Program (WISP)

•

Designating one or more employees to maintain the program
(such as a an Information Security Coordinator or a Privacy
Officer)

•

Vendor Management Program

•

Incident Response Plan

•

Security Awareness Program

•

Breach reporting within 90-days of finding breach

5

What are Social Engineering Attacks?
Remote
•

Phishing Emails - email that attempts to trick you into
clicking on a link, opening an attachment, or giving up your
credentials

•

Vishing Phone Calls - phone call that from someone
impersonating a client or vendor to obtain confidential
information

On-site
•

Baiting – enticing users to plug in infected media like USB
drives, CD-ROMs, etc

•

Social Engineering for physical access – gaining physical
access to restricted areas by taking advantage of trusting
employees
o

Tailgating

o

Impersonation

06

Detecting and Avoiding Phishing Attacks
Check the sender address for misspellings
Take notice of inconsistent language or strange formatting
Manually review email header information for clues

Call to confirm

07

Misspelled Sender Addresses

08

Strange Formatting or Inconsistent Language

09

Detecting and Avoiding Vishing Attacks
Check the originating phone number
Be wary of automated calls
Call back confirmation

NEVER give out confidential information unless you’re
absolutely sure of who you are talking to
Spam calls rose over 22% in the last 12 months
On average, Americans reported receiving 23 spam calls (mobile
and/or landline) in the last 12 months
1 in every 10 American adults (10%) lost money from a phone scam in
the past 12 months with nearly half (46%) of those who have ever been
scammed reporting they’ve been a victim more than once

With an average loss of $357 per victim, the result of these scams is
projected to have cost 24.9 million Americans approximately $8.9
billion* in total losses.

10

Detecting and Avoiding Baiting Attacks
Never plug in unknown devices into your network
•

Create written policy within WISP

Ensure antivirus is up-to-date to prevent malware from
executing
Use software to restrict reading of portable drives by
workstations on the corporate network
•

Through third party security software

•

Through Group Policy

11

Detecting and Avoiding Physical Social Engineering Attacks
Have a sign-in process
Use guest badges
Check credentials of people you don’t know

Escort visitors

12

Public WiFi
Am I Safe?
•
•

•

•

Phony rogue networks set up specifically by cyber criminals
Man-in-the-middle attacks where hackers commandeer a
public WiFi network and redirect users, often to a phony login
site where their credentials are stolen
Wireless sniffer tools that locate unsecured public WiFi
networks, analyze their packets, and steal data, monitor
network activity, or gather intel for use in a future attack
against the enterprise’s network
Having your device infected by a worm on another user’s
device that travels through the public WiFi network

13

Public WiFi
How Can I Protect Myself?
•
•
•
•
•
•

Use a Virtual Private Network (VPN)
o Hotspot Shield or NordVPN
Use Secure Connections
o Configure browser to ‘always uses HTTPS’ connections
Don’t Access Anything Sensitive
Turn Off Automatic Connectivity
Turn Off Bluetooth
Turn off airdrop and file sharing

14

Mobile Device Security
Why Do I Care?
•
•
•

Android platform has over 300,000 vulnerabilities
iOS (Apple) has approximately 1651
Trend Micro reported that it had over 235,000 detections for
ransomware targeted at Android platforms in April of 2017

15

Mobile Device Security
How Can I Protect Myself?
•
•

•
•
•
•

Regularly Update the Operating System and Apps
Use Relevant Built-in Security Features
o Find My iPhone or Find My Device (Android or Google)
o Built in Encryption
Use Strong Passwords or Biometrics
Install an Antivirus Application
Avoid Turning On AutoFill on your device
Utilize a Mobile Device Management (MDM) solution

16

New NIST Password Standards
What is NIST?
•

National Institute of Standards and Technology

•

Cybersecurity Framework Version 1.1 (April 16, 2018)

•

Framework for security standards for large and small
companies and organizations across all industry sectors, as
well as by federal, state and local governments

17

New NIST Password Standards
Wait for it…wait for it…
•
•

•
•

12 character minimum length
Passphrases are encouraged
o For example, ‘elatedraccoon’ or ‘dogsandcatsplay’
Allow complexity, but not required*
Abolishing password expirations altogether?

18

Password Strength Statistics

19

ASSURANCE | ADVISORY | TAX | TECHNOLOGY

Headquarters
280 Trumbull Street, 24th Floor
Hartford, CT 06103
860.522.3111

One Hamden Center
2319 Whitney Avenue, Suite 2A
Hamden, CT 06518
203.397.2525

14 Bobala Road, 3rd floor
Holyoke, MA 01040
413.536.3970

WAdvising.com