Security Awareness Lesson 12 PDF
Document Details
City College of Calamba
Tags
Summary
This document is a handout about security awareness, covering topics like cyber security, phishing attacks, and best practices. It provides an introduction to security awareness and details different types of security threats.
Full Transcript
SEC101: SECURITY AWARENESS PRELIM LESSON 1: INTRODUCTION TO SECURITY AWARENESS SECURITY AWARENESS is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informationa...
SEC101: SECURITY AWARENESS PRELIM LESSON 1: INTRODUCTION TO SECURITY AWARENESS SECURITY AWARENESS is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization. CYBER SECURITY AWARENESS involves the process of educating employees on the different cyber security risks and threats out there, as well as potential weak spots. OCTOBER-Cyber Security Awareness Month BENEFITS OF CYBER SECURITY AWARENESS TRAINING ✓ less of a risk to the overall security of an organization’s digital network ✓ less likelihood of lapses in protection should someone leave the company ✓ better reputation with consumers Much of cyber security can be broken down into seven main topics: 1. Data breaches – stolen or taken information from the system without the knowledge of the user. 2. Secure passwords 3. Malware (Malicious Software) - a file or piece of malware that spreads via a network and steals any desirable behaviors. 4. Privacy 5. Safe computing – a method that making your devices or system safe such as installing firewall programs and antivirus. 6. Mobile protection 7. Online scams SECURITY AWARENESS BEST PRACTICES ✓ Getting into compliance - Different cities, states, and nations have different rules and regulations to follow. Everyone must become aware of these rules because ignorance of the law is not an adequate defense. ✓ Including everyone, even managers - It’s all or nothing. Anyone not participating in the new security measures constitutes a possible weak link. If everyone isn’t fully engaged, it’s all for nothing. This practice also assumes that all departments (e.g., HR, Legal, Security) must buy-in and help make it a reality. ✓ Establishing the basics, which include: o Anti-phishing tactics - Employees need to be suspicious of emails from unrecognizable sources. Phishing scams use emails to gain access to systems and wreak havoc. Employees must be educated on things like suspicious links, attachments, and untrustworthy sources. o Password security - There’s no excuse for having the word “password” as your password. They should be at least eight characters long, with both upper- and lower-case letters, numbers, and a minimum of one unique character. Avoid mistakes such as writing the password on a post-it notes and attaching it to your computer. o Physical security - This includes everything from physical access to your company’s IT department to keeping your company-issued mobile devices and laptops always locked and within sight. o Social engineering - It’s crucial to raise everyone’s awareness of hazards, such as attempts at manipulating employees into granting system access or divulging confidential company information. ✓ Clearly communicating your security awareness program - This practice is especially important for middle and upper management. The higher-ups need to be kept in the loop, apprised of the current progress, and, in rare instances, report if any individual or department isn’t compliant. ✓ Making the training engaging and even entertaining - Company meetings and seminars are often dull affairs that everyone does their best to avoid. Keep people engaged by showing a humorous (yet topical) video or sharing odd and quirky security-related anecdotes. Just don’t overdo it. ✓ Reinforcing important messages with reviews and repetition - People often make the mistake of thinking that if they do something once, they don’t have to do it again. Cyber security is an ongoing thing and should include occasional tests and checks, scheduled at regular intervals throughout the year. ✓ Creating an environment of reinforcement and motivation - Promote constant vigilance and learning by creating a security culture that runs through every organizational level, down the entire chain of command. While it’s not necessary to continually harp on the subject with employees and end-users, cyber security should be a very relevant, everyday topic. LESSON 2: PHISHING ATTACKS What is a Phishing Attack? PHISHING is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information. An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft. Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an ADVANCED PERSISTENT THREAT (APT) EVENT. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data. PHISHING TECHNIQUES 1. Email phishing scams Email phishing is a numbers game. An attacker sending out thousands of fraudulent messages can net significant information and sums of money, even if only a small percentage of recipients fall for the scam. In addition, attackers will usually try to push users into action by creating a sense of urgency. 2. Spear phishing Spear phishing targets a specific person or enterprise, as opposed to random application users. It’s a more in-depth version of phishing that requires special knowledge about an organization, including its power structure. How to prevent phishing? Phishing attack protection requires steps be taken by both users and enterprises. For users, vigilance is key. A spoofed message often contains subtle mistakes that expose its true identity. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example. Users should also stop and think about why they’re even receiving such an email. For enterprises, a number of steps can be taken to mitigate both phishing and spear phishing attacks: Two-factor authentication (2FA) is the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to sensitive applications. 2FA relies on users having two things: something they know, such as a password and username, and something they have, such as their smartphones. Even when employees are compromised, 2FA prevents the use of their compromised credentials, since these alone are insufficient to gain entry. In addition to using 2FA, organizations should enforce strict password management policies. For example, employees should be required to frequently change their passwords and to not be allowed to reuse a password for multiple applications. Educational campaigns can also help diminish the threat of phishing attacks by enforcing secure practices, such as not clicking on external email links.