Information Security Basics: Starting a Security Awareness Program at your Station. Seton R. Droppers, CISSP PBS

Transcription

1 Information Security Basics: Starting a Security Awareness Program at your Station Seton R. Droppers, CISSP PBS

2 Who am I Seton R. Droppers PBS 1986 and 2004 MCI/UUNET 1998 VMS, Unix system Internet Security and DR 2

3 What Are We Doing Defining Information Security Discussing Information Security Awareness, Training, and Education InfoSec Awareness Presentation Resources Based on ISO 27K series, additional 3

4 Information Assets Asset essential to organizations business Requires Protection May be stored, written on paper, shown on films, or spoken conversation, or other Interconnectivity increases exposure 4

5 Information Security Based in part on ISO 27K standards series The preservation of Confidentiality, Integrity and Availability of information ( C-I-A ) May also include protecting properties such as authenticity, accountability, nonrepudiation and reliability 5

6 Achieving Information Security Implement suitable controls Establish, monitor, review, improve Ensure people know about the need for controls, and the controls 6

7 Scope of Information Security Information Assets Business Processes using assets Systems holding and processing information assets People executing processes 7

8 Information Security Awareness and Training How people (staff) know what an Information Asset is what they need to be careful about and do 8

9 Definitions Awareness Training Education 9

10 Awareness What we are talking about What we are protecting What too look for Where to get assistance 10

11 Training In-depth knowledge of specific systems, assets, or tools, and how to use them to perform necessary activities that support information security goals 11

12 Education Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge 12

13 Method or Format Informal Computer or Web Based Classroom or Presentation Other 13

14 Development and Planning Development and planning are key Understand what you are attempting to do Create a plan Do the work Evaluate how it went 14

15 Example Methodologies Microsoft NIST PDCA Remember: Many methods More than Here 15

16 Microsoft 16

17 NIST 17

18 PDCA (Plan-Do-Check-Act) Act Plan Check Do 18

19 Plan Needs Audience Management Support Staff Approach Funding Content Evaluation 19

20 Do Create/Obtain Presentations Test Presentation Finalize Presentation Roll-out to everyone 20

21 Check Evaluate according to previously enumerated evaluation criteria Identify gaps Identify strengths Identify unneeded content 21

22 Act Draft modifications to accommodate findings during Check phase Report to management Ensure all input available for next cycle (will be input to needs analysis, etc.) 22

23 Planning for THIS Presentation Goals Awareness (Not Training) Audience 23

24 Goals General in nature Include useful goals NOT created for any specific individual environment 24

25 Awareness vs. Training This is to increase awareness This is NOT in-depth training Examples Basic definitions provided NO instructions on how to apply patches 25

26 Audience Technical staff involved in the every day operation and engineering of PBS stations. 26

27 Security Awareness Presentation 27

28 Information (Definition) Information is an asset that, like other important business assets, is essential to an organization s business and consequently needs to be suitably protected. ISO/IEC ISMS Security techniques code of practice (ISO/IEC 17799:2005) 28

29 Information (Examples) Personal Information Corporate Information Financial Information Physical Information Computer Information 29

30 Suitably Protected Is the information asset worth the trouble to protect How can the information be protected (controls) Use Risk Based approach 30

31 Getting to Suitably Protected C-I-A Scope Risk Cost Benefit 31

32 C-I-A Confidentiality Integrity Availability 32

33 Scope Key Equipment Important Documents Systems Containing critical data Personal Information 33

34 Risk & Risk Management Risk: The possibility of something adverse happening Risk management: The process of assessing risk, taking steps to reduce risk to an acceptable level and maintaining that level of risk 34

35 Cost/Benefit There is a cost (money, time, complexity) to reducing (mitigating) risk We only reduce risk where the cost makes sense (if we are doing our job right) Helps to focus our time, money, etc. 35

36 The Internet = A World of Opportunities 36 Look what s at your fingertips A way to communicate with friends, family, + colleagues Access to information and entertainment A means to learn, meet people, and explore

37 Leading Internet Risks and Threats To PC Security Viruses Worms Trojan Horses Spyware 37

38 Online Security Versus Online Security: We must secure our computers with technology in the same way that we secure the doors to our offices Safety: We must act in ways that protect us against the risks and threats that come with Internet use Safety 38

39 Leading Threats to PC Security Viruses/Worms Software programs designed to invade your computer, and copy, damage or delete your data Trojan Horses Viruses that pretend to be programs that help you while destroying your data and damaging your computer Spyware Software that secretly watches and records your online activities or send you endless pop-up ads 39

40 Steps You Can Take Your computer 1. Turn on an Internet firewall 2. Keep your operating system up to date 3. Install and maintain anti-virus software 4. Install and maintain anti-spyware software 40

41 Take Steps to Help Protect Information 1. Practice Internet behavior that lowers your risk 2. Manage your business information carefully 3. Use technology to reduce nuisances, and raise the alarm when appropriate 41

42 Delete Spam without Opening It Never reply to spam Technology can help you identify spam so you can delete it Many Internet providers delete it for you 42

43 Use Strong Passwords Keep passwords private and create ones that are hard to crack Never share your passwords with friends or be tricked into giving them away 43

44 Four Steps To Protect Your Computer 1. Turn on an Internet firewall 2. Keep your operating system up to date 3. Install and maintain antivirus software 4. Install and maintain antispyware software 44

45 Turn on an Internet Firewall An Internet firewall is like a moat around a castle, creating a barrier between your computer and the Internet 45

46 Keep Your Operating System Install all security updates as soon as they are available Automatic updates provide the best protection Updated 46

47 Install Antivirus Software Don t let it expire Anti-virus software can detect and destroy computer viruses before they can cause damage Just like flu shots, for anti-virus software to be effective, you must keep it up to date 47

48 Install And Maintain Antispyware Software Use anti-spyware software so unknown people cannot lurk on your computer and potentially steal your information 48

49 Other Ways to Protect Your PC Back up your files regularly Think before you click Read website privacy statements Close pop-ups using red X 49

50 Back Up Your Files Save to CD or DVD Use a Web-based backup service 50

51 Think Before You Click Don t open attachments unless you know what they contain and who sent them Only download files from websites you trust 51

52 Close Pop-ups Using Red X Always use the red X in the corner of a popup screen Never click yes, accept or even cancel, because it could be a trick that installs software on your PC 52

53 Protecting Information Know who should see it Lock It Up Destroy when done 53

54 The People Side Social Engineering and Messaging Being a Good Citizen 54

55 Social Engineering (or Let Me Help You ) We want to be helpful, it is only natural Dishonest folks take advantage of this Not just computers Make sure the request is legitimate Make sure you know who is really making the request 55

56 and Messaging When they phish, don t bite Read it twice (Both the request AND your response) and 56

57 and Messaging II Don t push send until you have read it again! Be especially careful when in a hurry and are upset 57

58 Be a Good Citizen Follow the requests from the IT support groups Identify equipment that needs special handling When making a special request document the affect to your business process 58

59 Resources As of the date required for this version of the presentation the resource list is not available. Please monitor the Discuss Computing area of PBS Connect for additional information. 59

60 Q&A 60

61 Contact Information Seton R. Droppers Twitter: pbs_srdroppers Voice: (703)