End- User Informa/on Security Awareness Training 1
Why Awareness Training? NCLM sanc:oned mul:ple Security Risk Assessments for a broad spectrum of member municipali:es The assessments iden:fied areas of weakness common throughout the sampled municipali:es regardless of size One of the most common iden:fied weaknesses is a lack of general end- user security awareness training 2
What will this training cover? This training will highlight general end- user best prac:ces that apply to the most common informa:on security weaknesses iden:fied during member municipality security risk assessments, including: Ensuring your worksta:on is up- to- date and secure Crea:ng and using secure passwords Using your mobile devices in a secure manner How to surf the net and use email securely And how to iden:fy and avoid phishing emails 3
What will this training cover? (cont d) This training will also teach you: What should be considered sensi:ve and protected informa:on Poten:al consequences of an informa:on security breach How to arm yourself with informa:on security intelligence And what to do if you encounter something suspicious 4
What s in it for me? The goal is to educate employees to: Proac:vely secure their compu:ng resources at home and at work. Recognize what types of security issues and incidents may occur. And know what ac:ons to take. 5
What is sensi/ve data? And why should we protect it? Sensi:ve data may include: " Credit card numbers " Social Security numbers " Driver s license numbers " Protected health data " Law enforcement data " Business processes " Financial data " Copyrights " Trademarks " HR data It s valuable to our residents, our employees, and our opera:on protect it! 6
Threat Sources Threat sources may include both insiders and outsiders, such as the following: Governments Disgruntled employees Hackers Organized crime 7
Informa/on Security Sta/s/cs A few things to be aware of: External par:es ( outsiders ) are responsible for far more data breaches than insiders and partners (98% of breaches in 2012). Malware factored in over 2/3 of the breaches inves:gated. Iden:ty theg is the fastest growing crime in the US: More than 750,000 vic:ms a year (or 1 in 20 Americans) with losses exceeding $2 Billion. Over 1,000 viruses are created each month. Source: Verizon Data Breach Report 2012 h8p://www.verizonenterprise.com/resources/reports/rp_data- breach- invescgacons- report- 2012- ebk_en_xg.pdf 8
What does this have to do with me? People are the weakest link. You can have the best technology, firewalls, intrusion- detec/on systems, biometric devices and somebody can call an unsuspec/ng employee. That s all she wrote, baby. They got everything. Kevin Mitnick Kevin Mitnick is a computer security consultant, author, and hacker. In the mid 90's, he was the world's most- wanted computer hacker. 9
What can happen? Bad things that can happen: Disrup:on of business/personal :me Loss of $$$ (business/personal) Iden:ty theg Heavy fines from regulatory agencies Criminal inves:ga:ons Lawsuits Reputa:onal damage to the municipality and its elected officials 10
General Best Prac/ces Make sure your worksta:on is secure: Install ac:ve an:- virus and keep it current. Apply Microsog and third- party sogware security updates. Do not install unauthorized/free sogware on Municipal systems without IT approval. Do not install free sogware at home unless it has been validated by a trusted source. Do not disable security sogware, such as an:- virus, personal firewall and intrusion detec:on sogware. If you re unsure about any of the above, contact IT for guidance. 11
Password Best Prac/ce Use a complex password. At least eight characters Use capital and lower- case lemers, numbers and symbols Do not use commonly used passwords like password, 12345678 or LetMeIn. Use phrases, and subs:tute symbols and numbers for lemers. For example, instead of MyDogSpot use MyD0g$p0t. Change your password at least every 60-90 days. Do not re- use old passwords. 12
Secure your worksta/on Lock your computer when you leave your work area. Set your screensaver to automa:cally start ager a few minutes of inac:vity. Require password entry to deac:vate screensaver. Do not store wrimen passwords. Passwords stored on your desk or monitor, underneath keyboards or in desk drawers are not secure! Do not email passwords. Informa:on contained in emails isn t encrypted and can be read by anyone. 13
Stay informed Arm yourself with informa:on: If your an:- virus vendor offers an alert no:fica:on service, subscribe to it. Check other vendors to see if they have an alert list as well. Some an:- virus developers will release warnings ahead of others; therefore, it may be good prac:ce to subscribe to a number of lists. Symantec s Guide to Scary Internet Stuff series provides useful informa:on in a humorous manner (YouTube). Topics include: Phishing, Botnets, Underground Economy, Drive- by Downloads, Misleading Applica:ons, Net Threats, Losing Your Data, etc. Microsog offers a security bulle:n mailing list as well. Subscribing to this list will allow you to stay on top of security- related patches and could prevent problems such as falling vic:m to known amacks: hmp://technet.microsog.com/en- us/security/ Sources: h8p://www.symantec.com/connect/arccles/introduccon- viruses- and- malicious- code- part- two- proteccon and h8p://www.mcafee.com/apps/mcafee- labs/signup.aspx?region=us 14
Mobile Device Security Never leave mobile devices unamended in a public area such as a restaurant or coffee shop. Never leave mobile devices in plain view through the windows of a car. Use device locks such as a PIN/passcode on phones or tablets. Use an:- virus. Use remote wipe technology. 15
More Mobile Device Security Be mindful of QR codes. Scanning a QR code is just like clicking on a link! Just like a link, a QR code can be used for malicious purposes. Use an app like Norton Snap to make sure they re legi:mate. When in a store or restaurant, make sure the QR code you re about to scan is not a s:cker and is actually printed on the item or marke:ng material. 16
More Mobile Device Security Be mindful of what you install. Make sure apps are from reputable sources. Check permissions. Are they appropriate for the app you re downloading? If in doubt, ask IT for guidance. Don t store sensi:ve data on your mobile devices. This includes laptops, phones, tablets and removable storage devices like USB drives. Report loss or theg of mobile devices asap! 17
Internet Security Best Prac/ces While on the Internet: Configure your computer to ask before installing sogware, and do not browse the web while logged on as administrator. Social networking websites do not verify any content they display, so make sure you trust the poster before viewing videos or media files (many contain embedded malicious code). Avoid using Remember this password for websites. Free music and file sharing programs are wide- open doors for hackers BitTorrent, Kazaa, P2P (peer- to- peer). Before you ever enter sensi:ve informa:on, look for the browser lock and hmps:// 18
Internet Security Best Prac/ces Beware of malware and spyware: Sogware could be installed that tracks and records keystrokes, mouse movements and clicks, websites visited and virtually any other ac:vity on a computer including your bank account login ID and password. Ever get pop- ups that constantly ask for you to click OK and won t go away? This is ogen due to malicious code. Helpful toolbars? Once the toolbar program is installed, it could collect anything it wants, and it s almost impossible to remove it can ogen automa:cally reinstall. If you suspect malware or spyware, contact IT for assistance. And be careful how you make purchases: When making online purchases, always use a credit card, which usually limits your personal liability. Avoid paying with debit cards. 19
Email Security Best Prac/ces Keep personal email personal. Use work email only for work purposes don t mix them up. Don t register on personal websites with your work email. If you didn t expect an email, don t open it check with the sender first. No valid source will ever ask for your password contact IT immediately if you receive an email reques:ng your login creden:als. Never open amachments from unexpected sources. Always check links before you click them! 20
How do I check a link in an email? Hover over a link before you click it: Some:mes a link masks the website to which it links. If you hover over a link without clicking it, you ll no:ce the full URL of the link s des:na:on in your browser. For example, both of these links connect you to NCLM s home page but you wouldn t know it without hovering: Click Here! hmp://www.nclm.org hmp://www.freerolexwatches.com/ 21
What is Phishing? Phishing is a term used for fraudulent Internet scams that set out to deceive users into providing personal informa:on that ogen is used for iden:ty theg. It stands for password fishing. Phishing emails appear to be from a well- known and trusted company that are sent to a large number of addresses. It may direct the recipient to a fraudulent website that looks exactly like the real website, where he/she is asked for personal informa:on. Designed to get data from users without their knowledge. This data is usually sensi:ve in nature, like credit card informa:on, usernames or passwords. Phishing emails commonly pretend to be from organiza:ons such as PayPal, an airline, or a bank. Source: h8p://www.symantec.com/norton/transactsafely/phishingfaq.jsp 22
What does a phishing email look like? Here s an actual phishing email sent to customers of Barclay s bank with a link to a fraudulent website. No:ce the errors this is a common trait of phishing emails: 23
How do I keep from gepng phished? The most powerful weapons against phishing are common sense and the following rules: If you are not a customer of the site, delete the email immediately. Don t click on the link or reply. If you are a customer and you are not sure if the email is legit, do one of the following: Contact the ins:tute by phone or contact via the official website (do not use the email link of course) and ask if the email is official. Instead of using the link provided, visit the website by typing in the official URL. The site should have news about the email on their Home page. If not, use 2A to verify the email. Source: h8p://www.symantec.com/norton/transactsafely/phishingfaq.jsp 24
If you see something suspicious at work: Report any unusual system ac:vity to the IT Help Desk. Do not inves:gate the incident yourself the IT Team will lead the inves:ga:on. Never amempt to prove a security weakness. You will never be cri:cized or get in trouble for repor:ng something that you feel is suspicious. When in doubt report it! 25
Informa/on Security is Everyone s Responsibility Security is NOT merely about checking boxes! The intent of awareness training is to prevent fraud, protect customers and residents, and secure our data. Requirements must be met, but the goal is to provide robust informa:on security within our network. 26
End- User Informa/on Security Awareness Training Ques:ons? 27
End- User Informa/on Security Awareness Training Secure Enterprise Compu:ng has been performing network and applica:on security assessments for over 13 years. We are happy to help you with any and all compliance efforts. Website: hmp://www.secure- enterprise.com/ Phone: 919-380- 7979 28