Security Awareness Lesson 12 PDF

Summary

This document is a handout about security awareness, covering topics like cyber security, phishing attacks, and best practices. It provides an introduction to security awareness and details different types of security threats.

Full Transcript

SEC101: SECURITY AWARENESS
PRELIM

LESSON 1: INTRODUCTION TO SECURITY AWARENESS
SECURITY AWARENESS is the knowledge and attitude members of an organization possess
regarding the protection of the physical, and especially informational, assets of that
organization.

CYBER SECURITY AWARENESS involves the process of educating employees on the
different cyber security risks and threats out there, as well as potential weak spots.

OCTOBER-Cyber Security Awareness Month

BENEFITS OF CYBER SECURITY AWARENESS TRAINING
✓ less of a risk to the overall security of an organization’s digital network
✓ less likelihood of lapses in protection should someone leave the company
✓ better reputation with consumers

Much of cyber security can be broken down into seven main topics:

1. Data breaches – stolen or taken information from the system without the knowledge
of the user.
2. Secure passwords
3. Malware (Malicious Software) - a file or piece of malware that spreads via a network
and steals any desirable behaviors.
4. Privacy
5. Safe computing – a method that making your devices or system safe such as
installing firewall programs and antivirus.
6. Mobile protection
7. Online scams

SECURITY AWARENESS BEST PRACTICES
✓ Getting into compliance - Different cities, states, and nations have different rules
and regulations to follow. Everyone must become aware of these rules because
ignorance of the law is not an adequate defense.
✓ Including everyone, even managers - It’s all or nothing. Anyone not participating
in the new security measures constitutes a possible weak link. If everyone isn’t fully
engaged, it’s all for nothing. This practice also assumes that all departments (e.g.,
HR, Legal, Security) must buy-in and help make it a reality.
✓ Establishing the basics, which include:
o Anti-phishing tactics - Employees need to be suspicious of emails
from unrecognizable sources. Phishing scams use emails to gain
access to systems and wreak havoc. Employees must be
educated on things like suspicious links, attachments, and
untrustworthy sources.
o Password security - There’s no excuse for having the word
“password” as your password. They should be at least eight
characters long, with both upper- and lower-case letters, numbers,
and a minimum of one unique character. Avoid mistakes such as
writing the password on a post-it notes and attaching it to your
computer.
o Physical security - This includes everything from physical access to
your company’s IT department to keeping your company-issued
mobile devices and laptops always locked and within sight.
o Social engineering - It’s crucial to raise everyone’s awareness of
hazards, such as attempts at manipulating employees into
granting system access or divulging confidential company
information.
✓ Clearly communicating your security awareness program - This practice is
especially important for middle and upper management. The higher-ups need to
be kept in the loop, apprised of the current progress, and, in rare instances, report
if any individual or department isn’t compliant.
✓ Making the training engaging and even entertaining - Company meetings and
seminars are often dull affairs that everyone does their best to avoid. Keep people
engaged by showing a humorous (yet topical) video or sharing odd and quirky
security-related anecdotes. Just don’t overdo it.
✓ Reinforcing important messages with reviews and repetition - People often make
the mistake of thinking that if they do something once, they don’t have to do it
again. Cyber security is an ongoing thing and should include occasional tests and
checks, scheduled at regular intervals throughout the year.
✓ Creating an environment of reinforcement and motivation - Promote constant
vigilance and learning by creating a security culture that runs through every
organizational level, down the entire chain of command. While it’s not necessary
to continually harp on the subject with employees and end-users, cyber security
should be a very relevant, everyday topic.
LESSON 2: PHISHING ATTACKS

What is a Phishing Attack?

PHISHING is a type of social engineering attack often used to steal user data, including
login credentials and credit card numbers. It occurs when an attacker, masquerading as
a trusted entity, dupes a victim into opening an email, instant message, or text message.
The recipient is then tricked into clicking a malicious link, which can lead to the installation
of malware, the freezing of the system as part of a ransomware attack or the revealing
of sensitive information.

An attack can have devastating results. For individuals, this includes unauthorized
purchases, the stealing of funds, or identify theft.

Moreover, phishing is often used to gain a foothold in corporate or governmental
networks as a part of a larger attack, such as an ADVANCED PERSISTENT THREAT (APT)
EVENT. In this latter scenario, employees are compromised in order to bypass security
perimeters, distribute malware inside a closed environment, or gain privileged access to
secured data.

PHISHING TECHNIQUES
1. Email phishing scams

Email phishing is a numbers game. An attacker sending out thousands of fraudulent
messages can net significant information and sums of money, even if only a small
percentage of recipients fall for the scam. In addition, attackers will usually try to push
users into action by creating a sense of urgency.

2. Spear phishing

Spear phishing targets a specific person or enterprise, as opposed to random application
users. It’s a more in-depth version of phishing that requires special knowledge about an
organization, including its power structure.

How to prevent phishing?

Phishing attack protection requires steps be taken by both users and enterprises.

For users, vigilance is key. A spoofed message often contains subtle mistakes that expose
its true identity. These can include spelling mistakes or changes to domain names, as seen
in the earlier URL example. Users should also stop and think about why they’re even
receiving such an email.
For enterprises, a number of steps can be taken to mitigate both phishing and spear
phishing attacks:

Two-factor authentication (2FA) is the most effective method for countering phishing
attacks, as it adds an extra verification layer when logging in to sensitive applications.
2FA relies on users having two things: something they know, such as a password and
username, and something they have, such as their smartphones. Even when employees
are compromised, 2FA prevents the use of their compromised credentials, since these
alone are insufficient to gain entry.

In addition to using 2FA, organizations should enforce strict password management
policies. For example, employees should be required to frequently change their
passwords and to not be allowed to reuse a password for multiple applications.

Educational campaigns can also help diminish the threat of phishing attacks by enforcing
secure practices, such as not clicking on external email links.