INFORMATION SECURITY AWARENESS TRAINING
- Social Engineering
- Protect Data Systems
- Cloud Services
- Sensitive Data/PII
- Mobile Computing
January 2019 Cyber Attacks Statistics:
- National Institute of Standards and Technology (NIST) recommends…
- An eight character minimum and 64 character maximum length.
- Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa).
- Restrict context specific passwords (e.g. the name of the site, etc.).
- Restrict commonly used passwords (e.g. p@ssw0rd, etc.).
- Restrict passwords obtained from previous breach corpuses.
- Additional password best practices and recommendations.
- Don’t write down passwords and make sure not to share them.
- Avoid saving passwords in your browser.
- Consider a password manager to manage all unique passwords.
- LastPass (Free for personal use)
- 1Password (subscription options)
- Multi Factor Authentication (DUO).
- Never reuse the same password.
Email Deserves a Good Look
- Be Alert. Be diligent.
- Be suspicious if you’ve never done business with the person or organization listed in the From: field.
- If you hover over the name in the from field, does it match? Look legitimate?
- Attachments you weren’t expecting?
- Dangerous links masked as safe links?
- Again, when you hover over the link? hover does not equal click
- Public Email Services
- Legitimate business will never use a free, public email domain to conduct business.
- Avoid these common traps
- If you’re being threatened, promised money, or given any urgent request, use extreme caution.
- Personal Information
- Don’t provide sensitive or personal information over email.
- Encrypt emails when it is required to send sensitive or personal information
- Personal Email
- Risks associated with using personal email on college systems; College email "@slcc" has protections in place. Use personal for personal and business for business.
Social Engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system.
The hacker might use the phone, email, SMS, snail mail or direct contact to gain illegal access.
Examples of Social engineering
- Fake tech-support calls
- Fake IRS calls
- USB baiting
- Pretexting/Social networking
- Phishing (phone, email, texting)
Spam vs Phishing
Phishing attacks are the most common type of attacks leveraging social engineering techniques. Attackers use emails, social media and instant messaging, and SMS to trick victims into providing sensitive information or visiting malicious URL in the attempt to compromise their systems.
Phishing attacks frequently present the following common characteristics:
- Too Good To Be True - Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people’s attention immediately. For instance, many claim that you have won an iPhone, a lottery, or some other lavish prize. Just don't click on any suspicious emails. Remember that if it seems to good to be true, it probably is!
- Sense of Urgency - A favorite tactic amongst cybercriminals is to ask you to act fast because the super deals are only for a limited time. Some of them will even tell you that you have only a few minutes to respond. When you come across these kinds of emails, it's best to just ignore them. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. Most reliable organizations give ample time before they terminate an account and they never ask patrons to update personal details over the Internet. When in doubt, visit the source directly rather than clicking a link in an email.
- Hyperlinks - A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed upon clicking on it. It could be completely different or it could be a popular website with a misspelling, for instance www.bankofarnerica.com - the 'm' is actually an 'r' and an 'n', so look carefully.
- Attachments - If you see an attachment in an email you weren't expecting or that doesn't make sense, don't open it! They often contain payloads like ransomware or other viruses. The only file type that is always safe to click on is a .txt file.
- Unusual Sender - Whether it looks like it's from someone you don't know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious in general don't click on it!
Other email scams:
- Ransomware - use malware to encrypt files and request money to give you the encryption keys
- Extortion scams - Blackmail or tricking you to believe that they have evidence in an attempt to get money. They can be very sophisticated and will even show you that they know your password or include personal information about you in the communications.
Proofpoint email protection
- Proofpoint protection utilizes an URL defense strategy that protects you and SLCC by blocking access to websites that are judged to be harmful. Part of this entails the scanning and inspection of all links and attachments of every message delivered to your inbox.
- During the scanning process, all links are rewritten with a Proofpoint URL begins with https://urldefense.proofpoint.com and followed by a string used to redirect to the correct site.
Protect data & systems
Keep Private Data Private
- Vary your passwords
- Use unique, complex passwords on different sites and systems.
- Properly destroy unwanted data
- Shred unwanted documents and CDs.
- Thoroughly wipe devices (USB or external hard drives) before discarding.
- Lockup when you leave
- Secure sensitive files and lock computer screens when you walk away.
- Encrypt sensitive files
- Use encryption when sharing or storing confidential data.
- If in doubt ask someone, the fines and loss of reputation isn’t worth it.
- Not good for SLCC data, should have secure backups, encryption of drives recommended.
- External (USB, Hard-drives)
- Not a good practice, refrain if possible.
- Encryption Highly Recommended
- Shared Drives
- There are departmental shared drives, they are access controlled by user/role.
- Cloud Services
- Personal use: chose a service from a legit company that has updating and patching standards and will be around for a while.
- SLCC Sensitive information should not be stored out of the control of the college.
- Cloud storage is not as secure as SLCC storage options.
- Recovery of cloud services data can be hit or miss.
- Support for cloud apps or storage can cost a premium.
- Solution may lack regulatory compliance such as HIPPA or FERPA.
- In the cloud, where exactly is your data?
- Recommendation: Store work related sensitive data on the departmental network share and work with OIT to secure it appropriately.
Protect Personally Identifiable Information (PII)
- What is PII?
- Personally identifiable information (PII) includes any type of data that can directly identify or be combined to identify a specific individual.
- USE THESE BEST PRACTICES TO PROTECT PII:
- Share PII only with authorized individuals through approved channels.
- Only collect and store PII that’s business critical.
- Think twice before disclosing any personal information.
- Follow college approved policies for collecting, sharing, and storing PII.
- Never write down credit card information on sticky note or paper.
- InfoSec regularly scans for this type of data
Other types of sensitive data
- Intellectual property
- Financial information
- FERPA Records
- HIPAA Records
- Many more
Considered Directory Info "Not Sensitive":
Use Good Judgement!
- Never put sensitive data on a mobile device.
- Set a lock screen on any mobile device. Or biometric authentication
- Beware of “free” wireless. Man in the middle attacks are easy to set up, “Evil twin”
- Keep your home WiFi devices software and firmware updated and change default passwords.
- Do not allow strangers to use your mobile device.
- Backup the information on your mobile device regularly.
- Only install trusted applications from app store.
- Update your mobile device regularly. (do not ”Jail break” your phone)
- Do not click on links you don’t trust (email, SMS, web…).
Virtual Private Network ( VPN )
- SLCC provides two VPN options.
- AllAccess, and F5 Big-IP edge client (links are below)
- These two VPN’s are designed to protect SLCC resources.
- Uses what is called split-tunnel, where all non-SLCC traffic is not encrypted and sent out regularly
- Personal VPN -subscription based- *Don’t use your personal VPN while at onsite or on the SLCC network.*
- Make sure it is ”Full Tunnel Encryption”
- Nordvpn, Express VPN, and many others.
- VPN’s can slow down your network communications. Recommend to turn on and off per use scenario.
Virtual Private Network (VPN)
Thank you for taking the time to make yourself Aware!