Information Security Awareness Session 2016 PDF
Document Details
Uploaded by LeadingZinc
University of Mumbai
2016
Tags
Summary
This document is an Information Security Awareness Session from 2016. It covers various topics related to information security, including information security goals, different types of malware, and social engineering. It also includes tips for incident reporting and security.
Full Transcript
BNPI INFORMATION SECURITY AWARENESS SESSION Information Security Awareness Session 2016 Agenda Information security goals Different...
BNPI INFORMATION SECURITY AWARENESS SESSION Information Security Awareness Session 2016 Agenda Information security goals Different types of malware Top security breaches of 2015 Social engineering Human based attacks Computer based attacks Incident reporting Security tips & counter-measures HTTPs – WOT How to create a strong password Clean desk & clear screen Email security Mobile threat & security How to protect your PC Conclusion Information Security RSSI Awareness Session Information security goals Information Security RSSI Awareness Session Information security goals Maintain an appropriate level of awareness, knowledge and skills amongst managers and employees. Ensure business continuity following information security incidents. Information Security RSSI Awareness Session Different types of malware Spyware Monitors your movements Trojan Facilitates unauthorized Malicious access to your workstation + Software Virus = Infects your computer, Malware taking control over some or all of its functions Worm Virus that replicates itself over a network Information Security RSSI Awareness Session Top security breaches of 2015 Information Security RSSI Awareness Session Social engineering THE ART OF HUMAN HACKING BECAUSE THERE IS NO PATCH FOR HUMAN ERRORS Information Security RSSI Awareness Session Why social engineering? EVERY USER HAS INFORMATION AND EVERY INFORMATION IS GOOD TO TAKE One of the simplest attacks. Difficult to detect and track. Considered the most effective. Information Security RSSI Awareness Session Type of social engineering attacks Information gathering (Social media vectors) Shoulder surfing Dumpster diving Human based attacks Impersonation Phishing Computer based attacks Online Scams Information Security RSSI Awareness Session Information gathering STAFF ARE THE FIRST LINE OF DEFENSE Information Security RSSI Awareness Session Phishing e-mails Phishing e-mails characteristics: Deceptive subject line Messages that sound attractive or threatening Forged sender’s address Forged content (logos, fonts, images, etc.) Forged hyperlinks Submission forms Information Security RSSI Awareness Session Phishing e-mails Information Security RSSI Awareness Session Advanced Persistent Threat (APT) Definition: An APT is an attack in which an unauthorized person gains access to the network and stays there undetected for a long period of time in order to steal data. An APT attacker often uses a type of social engineering to gain access to the network through legitimate means. Once access has been achieved, the attacker establishes a back door. Countermeasures: Report odd user behavior, such as user activity after working hours or during weekends. Keep aware of social engineering attempts; information/credentials disclosure could compromise the entire information system. Information Security RSSI Awareness Session Online scams Information Security RSSI 14 Awareness Session Incident reporting REPORT FIX FOLLOW-UP RISK Repair and support Incident unit ( RSU ) STAFF fixed by IRC Incident reporting coordinator ( IRC ) concerned Business line entity manager STAFF Information Security RSSI Awareness Session Real case incidents Successful phishing attack Customer Bad complains of I want to image for unauthorized transfer OK !! bank and transfer 50000$ employee Information Security RSSI Awareness Session Real case incidents Phishing email detected “Hey sir, do you confirm I want to the unusual transfer transfer?” 10000$ Information Security RSSI Awareness Session Security tips & counter measures Digital Information is not only easy to store but also easy to leak. Information Security RSSI Awareness Session Security tips & counter measures HTTPs WOT Social networking security Password security Physical security Email security Mobile security General security tips Information Security RSSI Awareness Session HTTPs Information Security RSSI Awareness Session Web of Trust – WOT WOT displays a colored traffic light next to website links to show you which sites people trust for safe searching, surfing and shopping online. Information Security RSSI Awareness Session Web Security (POC) Website Verification Freeware Downloads Information Security RSSI Awareness Session Social networking security Once you publish something you can’t take it back Limit the amount of personal information you post Evaluate your security settings Be wary of third-party applications Use strong passwords Check privacy policies Don’t believe anything you read online Information Security RSSI Awareness Session Social networking security (POC) Evaluate your security settings Third-party applications Use strong passwords Check privacy policies Scam Examples Information Security RSSI Awareness Session Password security How to select a strong password: o At least 8 characters o Mix of upper and lowercase characters o Mix of alpha and numeric characters o Don’t use dictionary words Change passwords frequently Don’t share or reuse passwords Use different passwords for different accounts Don’t write down passwords Use password phrases: I was Born on May 9 nineteen90 # IwBoM9n90# Information Security RSSI Awareness Session Clear desk & clear screen Clear away paperwork Use shredders for sensitive documents disposal Lock desk and filing cabinets Lock away portable devices such as tablets Lock your workstation when you leave Make sure no documents are left in the printer Treat mass storage devices such as CDROM, DVD or USB drives as sensitive and secure them in a locked drawer Information Security RSSI Awareness Session Email security Never open an attachment from an unknown sender Make sure the email references the attachment Do not hesitate to contact the sender of an email message that contains an attachment Never send anyone your personal data (name, address, phone number, password, account numbers) In case of suspicion, contact the IT department or the information security officer "Trust your instincts - It may well be a virus" Information Security RSSI Awareness Session Mobile threat Number of malicious installation packages and new malicious programs detected (Q3 2014 – Q1 2015) Information Security RSSI Awareness Session Mobile phones security Never plug in your phone to the PC Download applications only from trusted sources: Install antimalware controls Never store business related documents on your phone Always change the factory pin code (0000) Always use a screen lock Information Security RSSI Awareness Session Mobile phones security (POC) Locking Trusted Source Secure Messaging Apps Mail Information Security RSSI Awareness Session Mobile phones security Share with care. Once you post a text, photo, and/or video it’s tough to take back, can be copied and pasted elsewhere. Think about the people in them (including you!). Privacy is at stake. Pay attention to any permissions applications request as you install them. Use a "find your phone tool." Certain software and applications make it easy to find your phone if you lose it. Keep your operating system and applications updated as they contain security patches. Disable services like GPS or Bluetooth if not needed. Information Security RSSI Awareness Session How to protect your PC Always backup sensitive data Always lock your workstation when away from your desk (Windows: Windows key + L) Ensure that antivirus definitions are updated regularly Reboot your system after applying new updates Use a strong password and try not to be confused with the passwords used in personal accounts Never charge smartphones from the PC Never insert a USB or any storage device into your PC Information Security RSSI Awareness Session Conclusion Security 20% Technical 80% Behavior Information Security RSSI Awareness Session