CYBER INFORMATION SECURITY AWARENESS AND PROTECTION PRACTICES. Strengthening Your Community at the Organizational Level



Similar documents
Cyber Self Assessment

10 Smart Ideas for. Keeping Data Safe. From Hackers

Introduction to Computer Security

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Medical Information Breaches: Are Your Records Safe?

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Security & SMEs. An Introduction by Jan Gessin. Introduction to the problem

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Don t Fall Victim to Cybercrime:

Cybercrime: risks, penalties and prevention

Cybersecurity Protecting Yourself, Your Business, Your Clients

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

How-To Guide: Cyber Security. Content Provided by

10 Quick Tips to Mobile Security

NATIONAL CYBER SECURITY AWARENESS MONTH

Things To Do After You ve Been Hacked

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

Presented by Evan Sylvester, CISSP

KEY STEPS FOLLOWING A DATA BREACH

CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES

Internet threats: steps to security for your small business

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Cybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Network Security and the Small Business

Cyber Security: Beginners Guide to Firewalls

Roger s Cyber Security and Compliance Mini-Guide

2012 NCSA / Symantec. National Small Business Study

Are You A Sitting Duck?

Better secure IT equipment and systems

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions

CYBER EXPOSURES OF SMALL AND MIDSIZE BUSINESSES A DIGITAL PANDEMIC. October Sponsored by:

A practical guide to IT security

Why is a strong password important?

A Small Business Approach to Big Business Cyber Security. Brent Bettis, CISSP 23 September, 2014

National Cyber Security Month 2015: Daily Security Awareness Tips

Information Security and Risk Management

Top Five Ways to Protect Your Network. A MainNerve Whitepaper

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

Presentation Objectives

Small businesses: What you need to know about cyber security

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

SIZE DOESN T MATTER IN CYBERSECURITY

Working Practices for Protecting Electronic Information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Cyber Security Solutions for Small Businesses Comparison Report: A Sampling of Cyber Security Solutions Designed for the Small Business Community

7 VITAL FACTS ABOUT HEALTHCARE BREACHES.

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

Texas Municipal League Annual Conference October 10, 2013

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Cybersecurity. Are you prepared?

How to Secure Your Environment

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

Cyber Security Solutions:

Nine Steps to Smart Security for Small Businesses

The SMB Cyber Security Survival Guide

What Data? I m A Trucking Company!

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Building a Business Case:

Cyber Essentials Scheme

TMCEC CYBER SECURITY TRAINING

Network Security for End Users in Health Care

2012 Endpoint Security Best Practices Survey

Protecting Organizations from Cyber Attack

Incident Response. Six Best Practices for Managing Cyber Breaches.

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Nine recommendations for alternative funds battling cyber crime. kpmg.ca/cybersecurity

Hot Topics in IT Security PREP#28 May 1, David Woska, Ph.D. OCIO Security

Are your people playing an effective role in your cyber resilience?

IA/CYBERSECURITY IS CRITICAL TO OPERATE IN CYBERSPACE

CYBER SECURITY GUIDANCE

External Supplier Control Requirements

F G F O A A N N U A L C O N F E R E N C E

HOSTING. Managed Security Solutions. Managed Security. ECSC Solutions

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Top five strategies for combating modern threats Is anti-virus dead?

PREPARED TESTIMONY OF THE NATIONAL CYBER SECURITY ALLIANCE MICHAEL KAISER, EXECUTIVE DIRECTOR ON THE STATE OF CYBERSECURITY AND SMALL BUSINESS

INFORMATION SECURITY FOR YOUR AGENCY

October Is National Cyber Security Awareness Month!

Cyber Risk in Healthcare AOHC, 3 June 2015

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Cyber Attacks and Liabilities Why do so many Organizations keep Getting Hacked, Sued and Fined?

Data Management Policies. Sage ERP Online

Risk Assessment Guide

Cyber Warfare. Global Economic Crime Survey. Causes of Cyber Attacks. David Childers, CEO Compli Vivek Krishnamurthy, Foley Hoag LLP. Why Cybercrime?

Cyber Security Awareness. Internet Safety Intro.

Defensible Strategy To. Cyber Incident Response

2011 NATIONAL SMALL BUSINESS STUDY

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

Data Security Best Practices. White Paper

Security Practices for Online Collaboration and Social Media

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

Transcription:

CYBER INFORMATION SECURITY AWARENESS AND PROTECTION PRACTICES Strengthening Your Community at the Organizational Level Las Vegas, Nevada 2012

Security Awareness and Why is it Important? In today s economic climate, information is every organization s most important asset and loss of it could be catastrophic. Beyond the loss of the asset itself, a breach of an organization s network can result in: Damage to organizational reputation Loss of revenue Assessment of fines and penalties Significant costs to restore and protect customer data Complete shutdown of business operations Beyond the organization, the potential risk to network systems that provide community services such as hospitals, financial institutions, or governments and public sector critical infrastructure; have the potential to put an entire community at risk if compromised. While no single solution will prevent every possible scenario, the protection of information as an asset is the responsibility of everyone in the home, community, and organization from the top down. Every member is part of the team and must take a leadership role for the protection of information and the systems that manage information. Building a strong Information Security Awareness Program is a key element that helps to ensure that information in your care, and the system(s) which store, process or transport information remain accessible and uncompromised. The person using the information is likely the weakest link in its protection and therefore, promoting a strong awareness program is vital to protecting the community as a whole. Information security includes cyber security and data security. Though some use these words interchangeably, when discussing information security, each has specific issues regarding the protection of different types of systems, data and information. An example of cyber security may be the systems used by a train to switch from one track to another or a missiles guidance system. An example of data security is how your computer and tablet store and discern one user s ability to access data from another user. Information security can include the paper copy of your bank statement or email correspondence you had with a friend. Regardless of where on the security paradigm you sit, you are critical to the protection of your personal information, your company s email service and even your community s ability to offer services. Your correct use of an information software system can affect the continued use of other systems distant from you; perhaps those of which you have no knowledge- sort of like sneezing and spreading the germs. Your mouse clicks on an email link can launch an attack on a whole range of computer systems. Yes, your actions have that potential. Keeping with the sneezing analogy, protection of the community can be as simple as covering your mouth, washing your hands and getting a flu shot. Or in the information security world, NOT mouse clicking on unknown links, NOT sending unprotected information over email, and USING up-to-date virus software. Information security is not easy to get your arms around. Bad guys are releasing new attacks and launching social engineering schemes daily in an attempt to convince you to click on something. They are sitting near you at your favorite Wi-Fi hotspot and, if you read the paper, the headlines will tell you how they are launching all out attacks on our country and its infrastructure. Just like the sneeze, the community needs your help to prevent the spread of the problem.

Information Security Myths- Hackers Are Not Interested In Me. The following, Myths, are examples of why many organizations do not move forward with a strong cyber security program. The end result could be devastating losses to the user, organization, customers and the community. 1. Myth: Most hackers are kids in their teens just trying to give you a hard time. False: Cybercrime is big business. The first generation of cybercriminals was certainly teenagers seeking notoriety. From there, the cybercriminal evolved to a profit-motive using organized gangs with increasing sophistication, and a full-fledged industry where malware is bought, sold and supported. 2. Myth: The biggest security threat for my company comes from hackers. False: Published studies have shown that 50% to 80% of incidents resulting in significant financial loss have come from insiders (mostly employees), who can do more harm because they know where the sensitive data is located, system weaknesses and how to get the data. 3. Myth: Most hackers only attack big companies because that is where the money is. False: Historically this has been true, but the trend has changed and attackers are now looking for smaller easy targets where the discipline of information security is not well practiced. 4. Myth: Security solutions are expensive and cumbersome. False: The biggest risk to your information and a company s intellectual property is social engineering. Social engineering is a method to gain information from individuals, usually by deception and when the user unknowingly releases valuable information. Providing your employees with awareness training in social engineering tactics and safe use of social media is a low cost measure with a high value of return. 5. Myth: We hire a hacker once a year to perform a penetration test so we know our network is secure and our data is safe. False: Penetration tests are a snapshot in time of the security of your network, devices and PCs. Every day, new viruses and vulnerabilities are introduced paving the way for opportunistic hackers. Ongoing processes and procedures aligned with information security, best practices and awareness training are the best ways to protect your data. 6. Myth: Anti-virus software and firewalls are all I need to protect my network. False: Current anti-virus software and properly deployed firewalls are important tools that protect your network and your information; however, they cannot guarantee that you will be protected from all attacks. Since a new form of malware is released into the internet every 13 seconds, antivirus software cannot keep up. At best, antivirus software is thought to only catch 30% of the viruses and malware that is out there. Layered security, careful behavior by all users and keeping these technologies updated is the best way to reduce your risk. 7. Myth: If a hacker penetrates my network we will detect it and can prevent any damage. False: Studies have shown that hackers infiltrate and remain in networks for as long as 3-4 months without detection before they are discovered. In some cases, it may be a third party, such as a customer, who reports the compromise.

SO WHO IS THE BIG BAD WOLF? A Brief Look at Cyber Data Security Threats Threats and vulnerabilities to the safety of your information are growing quickly and new malware, hacks and viruses are popping every minute. Typically, Big Bad Wolfs are usually those who seek personal gain from your information. The following are some of the more common threats to consider. Employee Actions: Employees, whether intentionally or unintentionally, can open your network to those whose intent is to do harm. Malware and Viruses: Emails or websites containing malware intended to disrupt computer systems can be opened inadvertently, due to a lack of awareness of the potential associated threats. Spyware: This is typically malware loaded on your system by clicking on a link, and is used to gain information as your system is used. Hackers: Those who obtain financial and other information to sell on line, and/or for other personal gain. Hackers may target specific companies, but mostly, systems are randomly searched for easy entry points. Hacktivist: This hacking has a different motive. Hacktivists target organizations that they disagree with and want to stop the target s ability to continue work, or to cause the organization embarrassment. Politically or financially motivated, they are normally in opposition of the organizations missions and goals. Web-Page Take Over: This hacking is when someone else takes over control of your website, it may be done as an act of cyber-espionage. Cyber terrorists are typically groups whose goal is to disable the American economy by interrupting business. These attacks are often targeted at large national organizations regardless of the provided services. Disgruntled Employees or Ex-Employees. The potential for those who would attempt to steal, and defraud by accessing your information is a reason to remove their system access at the time of termination or limit access to information not required. Employees, who are involved with high risk activities often visit websites catering to such activities. These sites commonly promote insecure practices and therefore those visiting these sites are more apt to cause system problems. Vendor and Outside Sales Representatives and Trainers. It is important to have information security policies in place and limit access of third parties and contractors who access or support your network. Mobile Devices, Flashdrives and Social Media. These common mechanisms present potential risks and must be considered in your information security awareness training and practices. Phishing Emails. Posing as legitimate emails from your bank or other vendors, phishing emails are in fact a false front for Identity Theft by asking for information such as passwords and/or account numbers.

Awareness Campaigns Awareness Campaigns: The best awareness campaigns are simple; informational posters, flyers or emails heightening the awareness of information security practices of an organization. Employee Awareness, Training and Security Practices 1. New Employees: New employees should receive Information Systems Security Policies and training during orientation and should be required to sign indicating their understanding and intent to comply. 2. Exiting Employees: Interview all outgoing employees, regardless of their position, to ensure any unique passwords have been reported, and to insure that company data and property including devices are returned. IT should immediately disable network, system and remote access for all terminated employees, reset their passwords and develop a policy for the ongoing retention of that employee s files and data and the authorization required for others to access it. 3. Employees Who Leave Without Notice: In addition to the above measures for exiting employees, for those who leave without notice, additional measures should be considered. Secure their computer, check for system viruses or evidence of breaches and monitor the network for any attempts they may make to access the network for several weeks following their departure. 4. Vendors and Sub- Contractors: Establish a policy which requires their compliance to your security rules and policies. Require a Non- Disclosure Agreement to protect privacy and information prior to granting access to your information systems. 5. Employee Use Of Company Equipment: Policy should identify how and when company information systems, to include cell phones are to be used and require safety practices. 6. Social Media Policy: Consider adopting a social media policy and ensure that employees are aware of the risks presented through their use of social media. 7. Reporting: Ensure employees know what, when and how to report suspicious activities. 8. Record Keeping: Ensure your IT personnel keep a log of any suspected hacks, or other questionable matters, for future investigations. 9. Polices on Changing and Sharing Passwords on Your Computers: Establishing how often passwords should be updated; number of characters used in a password, and how those requests are made of employees, will help keep everyone accountable. It is a good idea to keep an updated list of all important or key passwords in a sealed envelope in a locked safe accessible only by senior management in the event of an emergency. 10. Establish Standard Operations Polices: Ensure that employees know the organization s standard operating procedures for items which may put your network at risk. Some items to consider are: Phishing Emails Opening Attachments Identifying and handling questionable Emails Use of Personal/Vendor Flashdrives

11. Personal Computer/Mobile Devices: Accessing company emails or data remotely on a laptop or mobile device places a significant risk to your organization. Ensure that you have a clear policy for employees in the event of a breached. If you allow the remote access, ensure that employees are aware of potential threats such as: Smart phones have the potential to be hacked. A warm cell phone while not in use may indicate a breach. There are programs that can remotely turn on a mobile device s microphones and cameras Anti-Virus Software Updates: Personal laptops and mobile phones should have anti-virus software. Ensure employees know their responsibility to keep it up-to-date 12. Cloud Storage and Online Tools: Many employees enjoy online tools; however, it is important for them to realize, that many of those tools are in what is referred to as a cloud and the server is often housed in another state or country. Remind employees that the use of cloud related products should be approved prior to being used. 13. Reporting Procedures for Compromised Data or Possible Breaches: Ensure that every employee knows that a suspected compromised system should be identified immediately, who to report it to, and that a delay in notification can increase the damage. 14. Significant Breach s that must be reported to Law Enforcement: Depending on your company s work and the severity of the breach, local law enforcement may need to be contacted. Companies should know that in case such as child pornography, contacting law enforcement is required and the company can be in jeopardy if contact is not made. Be sure to secure the computer until law enforcement arrives, such computers should NOT be turned off as that will erase the cache memory; they should however be disconnected from the network to avoid further damage. 15. Disaster and Recovery Planning: Having a plan in place and completing emergency drills will keep you prepared in the event of an actual emergency and hopefully will minimize the downtime of your business. 16. How Often Should I Train and How Do I Get It to Everyone: The frequency of awareness training is based on your company s information security risks. Training can be as simple as reminding of a single security practice or learning about a new threat. Department staff meetings are a great way to update multiple employees at one time. Based on position, employees can also attend local training seminar or vendors meetings are valuable resources for providing low or no-cost training. In all cases, training should be an ongoing activity regardless of the form.

REFERENCES Cyber Security Program Resources Clark-Las Vegas Community Policy & Standards SANS Institute Security Policy Project www.sans.org/resources/policies/ National Security Agency (NSA) Security Configuration Guides http://www.nsa.gov/ia/mitigation_guidance/se curity_configuration_guides/ National Institute of Standards and Technology (NIST) Security Publications http://csrc.nist.gov/publications/ Defense Information Systems Agency (DISA) Security Technical Implementation Guides http://iase.disa.mil/stigs Federal United States Computer Emergency Readiness Team (US-CERT) http://www.us-cert.gov DHS Critical Infrastructure / Key Resources http://www.dhs.gov/files/programs/gc_118916894 8944.shtm Common Criteria http://www.commoncriteriaportal.org/ Forum of Incident Response & Security Teams (FIRST) http://www.first.org Training The Center for Infrastructure Assurance and Security (CIAS) www.ciastraining.com Information Sharing Multi-State Information Sharing and Analysis Center (MS-ISAC) http://www.msisac.org/ Department of Homeland Security (DHS) Communication and Interoperability Memorandums of Understanding Various Tools http://www.safecomprogram.gov/ Information Systems Security Association (ISSA) https://www.issa.org/ ISACA https://www.isaca.org/pages/default.aspx Great for Families National Center for Missing and Exploited Children www.netsmartz.org National Cyber Security Alliance http://www.staysafeonline.org/ Anti-Phishing Working Group http://www.stopthinkconnect.org/ On Guard Online www.onguardonline.gov Federal Trade Commission Identity Theft Deter, Detect, Defend http://www.ftc.gov/bcp/edu/microsotes/idtheft Credit Monitoring www.freecreditreport.com www.annualcreditreport.com One free credit report per year from three credit reporting agencies The Texas Engineering Extension Service (TEEX) www.teexwmdcampus.com/ The Cyberterrorism Defense initiative (CDI) http://www.cyberterrorismcenter.org

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information