Security 101 for Business Managers

Transcription

1 April, 2014 Security 101 for Business Managers Basic Security Principles to Help You Better Secure your Corporate Network To join conference call dial (305) option 4 PIN # Presented by: Miguel Fra miguel@falconitservices.com Sources: Neostrategos, onlinecollegecourses.com, forbes.com, go-gulf.com, us-cert.gov, microsoft.com, staysafeonline.org, ncsa

2 Why We Need Security Training 3 in 4 Americans have been hacked or have been victims of cyber crime. 90% of businesses have been hacked in the last 12 months. Of those, 77% have been hacked more than once. Last year, $ 1 trillion in intellectual property was stolen by cyber criminals. 600,000 Facebook accounts get hacked every day. 92% of top 100 paid mobile apps have been hacked. 30,000 Web site hacked per day. Estimated annual cost of cybercrime is 100 Billion US$ 1.5 million cybercrime victims per day. 233 million identities stolen each year.

3 How Cybercriminals get Access Types of Attacks Viruses Insider Device Theft SQL Injection Phishing Web Based

4 Hacked Bank Funds Recovery Able to hold on Able to recover funds Unrecoverable Loss to bank Loss to business

5 Situational Awareness is Key Security is an individual as well as a business investment. Learn as much as you can so that you can help prevent cybercrime. Individual training and awareness is an additional layer added to your company s existing hardware and software security infrastructure.

6 Security vs. Convenience

7 Good Password Policies Use strong passwords with upper case, lower case, number and special characters and a minimum of 6 characters. Don t use passwords that contain names, birthdays, pet names, phone numbers, etc. Don t use names or dictionary words followed by numbers, i.e. Stingray2010, Fireman1, Baseball1234 Don t share passwords across multiple services i.e. same password for Gmail, Credit Cards, Work, Twitter, etc. Don t use sequential passwords for different services i.e. mypassword10, mypassword11, mypassword12, etc. Don t store your passwords under your keyboard, in your drawer, in Outlook, Gmail, Phone, password wallet software, etc.). Best place to store passwords is in your brain, second best is written on a piece of paper and kept in your wallet. If you have a bad memory, use meaningful words with a twist like: 1L0v3Ch0c0l@t3 (ILoveChocolate) Be weary of shoulder surfers that may be looking at you when you enter your password. Never tell your password to anyone, including people from support, customer service, helpdesk, etc. Make sure that employees don t keep user names, passwords or other sensitive information on cloud based Web mail.

8 Good Desktop PC Security Policies Log off from your desktop when you leave your desk. Apply auto logon inactivity time to your corporate network. Do not store private information such as social security numbers, etc. on your desktop. Requires users to seek permission and clearance when saving sensitive data on network shares. If you receive an anti virus alert, immediate report it to Falcon IT Services. Don t install any software/apps that have not been specifically authorized. Keep your desktop and AV up to date. Accommodate time for our technicians when they periodically call you to do desktop maintenance. Read computer alerts and understand them. Don t just click on them to get rid of them! Restrict access to work related Web sites. Restrict CD ROM/DVD and USB Mass Storage Devices on the desktops.

9 Beware of Phishing & Social Engineering Phishing is the practice of luring users to visit fake Web sites in order to steal passwords, pin numbers and other sensitive information. Social Engineering is the practice of using personal charm, charisma, deception and trickery in order to elicit sensitive information from the victim. Social engineers use social media (Twitter, Facebook, Web Sites, etc.) to discover information about the victim (reconnaissance). Be as discreet as possible.

10 &Phishing Do not follow links from asking you to visit a Web page. Be weary of banks, credit cards, IRS, utilities, and others asking you to visit their site via unsolicited link. Always make sure that login pages use SSL and that the login pages starts with Always make sure that the domain name is darker than the rest of the URL when visiting sites. Look for inconsistencies, bad grammar and/or misspelled words on s and web sites as signs of potential fake phishing sites. Don t send confidential information by , Instant messaging or text message. Situational awareness: don t open s with attachments if they are out of context ( i.e. iloveponies.pdf from your boss or businessmeeting.pdf from a relative) View all attachments and links with suspicions. No matter who they are from. Beware of: generic salutations, suspicious addresses, alarmist messages, grammatical errors/misspellings, request to verify, update or change account settings. We weary of unsolicited requests by to reset your PIN, ID or password. Don t open attachments from unsolicited or unexpected s. Disallow attachments such as ZIP files and Executables. Disallow access to employee s personal addresses.

11 Social Engineering If you get a call from a bank, credit processor, IRS, phone company etc. and they ask for private information, DO NOT divulge the information. Instead, ask for their name and extension and call them on the number listed on their corporate Web site. Unless you can positively identify the identity of the person you called you, never give out information to an inbound caller. Make sure your employees know to do the same. Reduce the amount of information about yourself in Facebook, LinkedIn and other social media sites. That information is useful in social engineering. Do not give passwords or personal information to helpdesk or support technicians. They should have access to your system via their own user names and passwords. Careful who you add as a friend or connect to when using social media. Business owners and managers are high value targets for social engineers. Common Social Engineering Tactics Familiarity Exploit Posing as familiar entities or using those positions for reconnaissance. Do not give information to people from the phone company, mailmen, electric company, etc. Creating emergencies or urgency. This makes the victim nervous, anxious and more likely to divulge information. Creating hostile situations. People often try hard to avoid fights and hostilities and in trying to do so, may lose situational awareness and divulge information. Get a job there! Make sure you do background checks on the people that will have access to your network, your resources and your information. Cybercriminals often get jobs where they can surreptitiously collect data or they recruit people that work there.

12 Web Surfing Restrict surfing to only work-related Web sites. 30,000 Web sites get hacked each day, so be weary even when surfing known Web sites. Don t download and install Apps from unknown Web sites. Don t download and install unsolicited Apps from known Web sites. Read alerts. Don t just click on them to get rid of them! Use situational awareness and be extra careful when surfing new or unknown Internet sites. Situational awareness is key!

13 If you see pop up while surfing, and it s claiming that you are infected with a virus, press ALT+F4 to close the window or CTRL+AL+DEL to log off. Do not click on any part of the pop up, not even the X to close the window!!! Read Windows pop-up alerts. Don t just click on them to get rid of them. Beware of threats of inaction, over the top virus alerts and demagoguery. These tend to be viruses. Drive By Infections

14 Use a Unified Threat Gateway to Avoid Web surfing Drive Bys UTM gateways scan all traffic that traverse the firewall. Traffic that may contain malware is automatically blocked before it enter the network. UTM is available as a subscription based service for Sonicwall & Juniper routers & gateways.

15 Social Media & On-Line Services Social Media and Free Services such as Facebook, Twitter, Gmail and other want as much personal information about you as possible so that they can sell it to advertisers (big data). Hackers want the same information so that they can use social engineering to gain unauthorized access to your valuables. On-Line services opt for convenience over security because they do not want to push customers away. Don t post anything you would say only to a close friend such as feelings, money problems, etc. These types of posts expose you to cyberbullying and on-line scammers. Keep sensitive data to yourself. Especially information that can be used by scammers to impersonate you. Talk to your family, friends and employees about what you don t want posted on line. On-Line services rely on common social media comments as password reset or authentication mechanisms for forgotten passwords (favorite movie, favorite pet, elementary school). That same information people usually post willingly on social media! Talk to your employees about what they are posting on social media about your business. Protect your Internet registrar information like it was your bank! Gaining access to your registrar can divert password resets to rogue servers. Laws have not caught up with technology, in fact they are YEARS behind. Laws are needed for people and corporations to behave ethically. Those laws are virtually non existent when it comes to new technologies and on-line privacy. Although it s illegal for an employer to ask you about race, religion or ethnicity during a job interview, it s not illegal for an employee to filter out those same things using social media tools? Banks can deny you a loan or increase your interest rate simply because you friended someone who has bad credit or whose profile algorithms deems you as undesirable. You can be denied life insurance based on what you or your relatives post on-line. NSA surveillance pales in comparison to the amount of data collected by Google, Yahoo, Facebook and others.

16 Smart Phones 52% of large businesses have reported smartphone incidents in the past year. 93% of workers connect their smartphones to corporate networks. Risk comes via apps that have access to phonebooks, , microphone, cameras, etc. Disallow smartphones from accessing the company s network via wireless or create a guest wireless zone on a separate subnet. Abuse/Spying/Misuse of corporate data by ISP s/ Handset Makers/ Apps. Ask yourself: Why are so many apps FREE? Rogues are apps usually undetected since smartphone security is in its infancy and smartphones seldom have antimalware. Don t keep sensitive data on your smartphone. Turn off smartphones during private meetings or when talking about extremely private information. Apps such as CrowdPilot, Facebook, Flexispy, etc. can listen in to your conversations, read your call log, etc. Apps and exploiters usually go unnoticed if it were not for human error.

17 Mitigating Security Risks Create a computer and network written corporate policy and have employees sign it. You can obtain a general policy from our Web site in Site Libraries/Forms ( and build upon it to suit your needs. Require employees to attend quarterly security training sessions. Disallow employee access to personal from work PC s. Incorporate plug-ins such as Flash and Java ONLY for users and desktops that explicitly need them. Incorporate file and folder auditing on network shares. Maintain a structured, managed and standardized method of remote access to the corporate network. 3 rd party access tools can leave PC s exposed and are difficult to manage and regulate. Ensure that all remote access such as RDP, Webmail, Intranet is encrypted. Purchase subscription based IDS (Intrusion Detection Systems) and URL Content Filtering systems. Use A/V scanners that alert network admins when a virus has been detected and encourage employees to report virus and malware infections. Discourage employees from bringing personal items (USB sticks, USB drives, laptops, etc. to work and connecting them to the corporate network. Install NPS and surfing constraints if you have work at home employees or traveling employees that take their laptops home or off-site. Install a SYSLOG server to better track and record Web traffic traversing the corporate firewall. Minimize usage of wireless devices and use up to date encryption and connection protocols. Keep your operating systems, AV and anti-malware up to date. Treat all public Wi-Fi networks as insecure networks because they are!

18 Resources Thank you for attending this presentation. If you would like to continue, stay on the call for questions and answers!