Information Security Training. Jason Belford Jimmy Lummis

Information Security Training Jason Belford Jimmy Lummis

Presenters Who are these guys? Jason Belford Principal Information Security Engineer Jimmy Lummis Information Security Policy and Compliance Manager 2

Georgia Tech Information Security OIT Information Security Georgia Tech Security Policy Regulatory Compliance Incident Response Operational IT Security Training and Awareness 3

Computer & Network Usage and Security Policy (CNUSP) 4

CNUSP - Highlights Applies to Faculty / Staff / Students / Guests / Contractors Encompasses appropriate use of GT computers and networks Defines expectation of privacy 5

CNUSP - Do Do: Use IT resources in an ethical and legal manner Follow Intellectual Property laws Use a password-protected screensaver Report issues immediately Stop and ask if you have questions or concerns! 6

CNUSP Don t Don t: Circumvent security Install non-approved software Use Institute Resources for personal gain (Incidental Use) Allow others to use your computer Be afraid to ask questions! 7

CNUSP - Quiz True or False: The CNUSP allows you to download MP3s to your Georgia Tech computer. True or False: I do not need approval to install or use personal software on my Georgia Tech computer. True of False: If my coworker asks for access to my computer, I should just allow it. 8

CNUSP Links Computer & Network Usage and Security Policy http://policylibrary.gatech.edu/computer-and-networkusage-and-security 9

10 Data Access Policy

Data Access Policy (DAP) The Data Access Policy (DAP) provides a structured and consistent process for employees to obtain necessary data access for conducting Georgia Tech operations All employees of Georgia Tech are covered by the DAP All Georgia Tech data (electronic, paper or otherwise) are covered by the DAP All Georgia Tech data is classified into one of four categories 11

Data Access Policy - Data Classification Category I Public Use Examples: Institute web site content, press releases, employee work addresses Category II Internal Use Examples: directory listings, internal intranet web sites, gtid (alone) Category III Sensitive Examples: Social Security Number, research data, intellectual property of Georgia Tech Category IV Highly Sensitive Examples: Credit Card Numbers 12

Data Access Policy Do Do: Request access to non-public data appropriately Assume all data, unless already classified, is category II Limit the use of data to only what is absolutely necessary Encrypt non-public data at rest and in-flight Be mindful of who you share non-public data with Reach out to Information Security and ask! 13

Data Access Policy Don t Don t: Attempt to access data you aren t authorized to access Give data to unauthorized individuals Store data unless absolutely necessary Store data on unsecured systems Store data on mobile devices unless absolutely necessary Be shy, reach out to Information Security and ask! 14

Data Access Policy - Quiz True or False: The Data Access Policy states that all data and information should be freely available and made public. Question: What classification category is credit card data? True of False: When I m not sure what to do with sensitive data, I should crawl under my desk and hide. 15

Data Access Policy Links Data Access Policy http://policylibrary.gatech.edu/data-access 16

17 Current Threats

Hacking To circumvent security and break into another's server, Web site, or the like with malicious intent1 Motivation Curiosity Monetary Political Publicity Strategic (State sponsored) 18 1. http://dictionary.reference.com/browse/hacking

Hacktivisim Hack + Activist = Hacktivist Political motivation Most often carried out anonymously 19

Hacks (2011) http://redmondmag.com/articles/2011/06/27/ timeline-of-anonymous-lulzsec-hacks.aspx 20

Hacks (2012) http://redmondmag.com/articles/2011/06/27/ timeline-of-anonymous-lulzsec-hacks.aspx 21

Malware Malicious Software Purpose disrupt computer operation gather sensitive information gain unauthorized access to computer systems Biggest issue on Georgia Tech campus each year 22 http://en.wikipedia.org/wiki/malware

Social Engineering Art of manipulating people into performing actions or divulging confidential information. Types Baiting Phishing Tailgating Vishing 23

Phishing From: GaTech Email Admin [mailto:noreplies@gatech.edu] Sent: Friday, September 09, 2011 3:35 AM To: George Burdell <george.burdell@gatech.edu> Subject: Upgrade Your Email You are currently viewing Gatech in basic HTML. Why? Follow the link below for faster, better webmail. Click HERE. 24

Phishing From: GaTech Email Admin <noreplies@gatech.edu> Sent: Friday, September 09, 2011 3:35 AM To: George Burdell <george.burdell@gatech.edu> Subject: Upgrade Your Email You are currently viewing Gatech in basic HTML. Why? Follow the link below for faster, better webmail. Click HERE. 25 http://gatechupgrade.dfjsdh422tgs.cn

URL Disection http://www.gatech.edu/login/index.html http://www.gatech.edu/login/index.html http://www.gatech.edu/login/index.html http://www.gatech.edu/login/index.html 26

Phishing From: GaTech Email Admin noreplies@gatech.edu Sent: Friday, September 09, 2011 3:35 AM To: George Burdell <george.burdell@gatech.edu> Subject: Upgrade Your Email You are currently viewing Gatech in basic HTML. Why? Follow the link below for faster, better webmail. Click HERE. 27 http://gatechupgrade.dfjsdh422tgs.cn

28 Phishing Quiz

Gone Phishing? https://login.gatech.edu Is this site legitimate? YES! 29

Gone Phishing? https://highereducation.gt.edu.hied.com/login Is this site legitimate? NO! 30

Gone Phishing? http://login.gt.gatech.edu Is this site legitimate? NO! 31

Gone Phishing? https://loginpage.dept.gatech.edu Username: Password: [SUBMIT] Is this site legitimate? MAYBE. When in doubt.. ASK! 32

33 Mobile Device Security

Mobile Device Security What s a Mobile Device? Mobile computing devices at Georgia Tech include, but are not limited to: Cellular telephones Smart phones (e.g. iphones, Android Phones, BlackBerry) Tablet computers (e.g. ipad, Kindle, Kindle Fire, Android Tablets) Personal Digital Assistants (e.g. Palm Pilot) Any other mobile device containing Georgia Tech data (e.g laptops, USB drives) 34

Mobile Device Security - Threats Lost or stolen devices Mobile malware Privacy threats Wi-Fi / Bluetooth sniffing 35

Mobile Device Security Securing the Device Passwords/Encryption Don t store sensitive data Antivirus Device locators Remote wipe Don t jailbreak! 36

Mobile Device Security Device Awareness Keep your mobile devices with you at all times If not with you, store in a secured location Do NOT leave devices unattended in public locations Airports Conference rooms Restaurants 37

Mobile Device Security - Quiz True or False: Malware is only an issue for my home computer. True of False: I should always store sensitive data on my mobile device! True of False: It s okay to ask a stranger to hold your mobile device while you tie your shoe. 38

Mobile Device Security Links Stay Tuned Currently working to update Data Access Policy and Data Protection Safeguards to include controls for mobile devices 39

40 Passwords

Policy Changing Soon Passwords must Be 11 to 23 characters Be changed every 120 days Contain at least 3 character classes Lowercase Alphabetic (abcdefg ) Uppercase Alphabetic (ABCDEFG ) Numbers (0123456789) Special Characters (!@#$%&*) Password cannot Contain your username Be one of your most recent 3 passwords 41 http://policylibrary.gatech.edu/passwords

Picking a Strong Password Bad Habits Don t share your password with anyone EVER! Don t use the same password for multiple accounts Don t write down your passwords Don t select a password and then keep changing the number on the end DON T USE ANY PASSWORD SEEN IN THIS PRESENTATION! 42

Picking a Strong Password (Method 1) Start with a phrase that means something to you I m a Rambling Wreck from Georgia Tech!!! Keep the first letter from each word and the punctuation I a R W f G T!!! Add some numbers or replace letters with numbers 1 a R W f 6 T!!! 1 arwf6t!!! 43

Picking a Strong Password (Method 2) Start with a phrase that means something to you And a Heck of an Engineer Replace spaces and letters with special characters &a-heck-of-an-engineer &a-heck-of-an-engineer 44

Picking a Strong Password (Method 3) Start with a phrase that means something to you Like all the jolly good fellows Pad the beginning and the end with special characters and numbers 1885jollygoodfellows 45 1885jollygoodfellows

Picking a Strong Password How do our new password compare? Number of Characters Character Classes Buzz1234567 1 arwf6t!!!!! &a-heck-ofan-engineer 1885jollygoodf ellows 11 11 23 23 3 4 3 3 How Secure? Weak Strong Very Strong Very Strong Time to Crack? 10 hours 19 years 9 billion trillion centuries 6 billion trillion centuries 46 Source: https://www.grc.com/haystack.htm

Picking a Strong Password Good Mascot Bad Password 47

Quiz 1. (T/F) When my supervisor asks for my password, I am required to give it to them. 2. (T/F) Since the passwords here are supposed to be more complex, it is ok to write it down. 3. (T/F) I should just think of just one password and keep putting a different number on the end each password change. 48

49 Physical Security

Physical Security - Threats Theft Vandalism Sabotage Espionage 50

Physical Security Common Exploitation Methods Hardware key-loggers Posing as a trusted authority or service person Social engineer staff to gain access to facilities Connect a rogue device to wired/wireless network Tailgating to gain access to data center 51

Physical Security Combating the Threat Be aware of your surroundings Report anything that appears out of the ordinary Inspect USB and other ports for unknown devices When in doubt ask for ID Don t let your devices out of your sight Keep sensitive items behind locked doors/drawers Don t leave sensitive items in your car 52

Physical Security - Quiz True or False: It s okay to hold the door for someone on your way into a secured facility. Question: are devices that can be attached to a computer which capture everything entered on a keyboard. True of False: It s okay to talk about confidential research data on the phone with someone you ve never talked to before. 53

What to do if you suspect you ve been hacked! Contact your CSR and report the issue Run virus scan If you are unable to do so: Save your work Shut down your computer Change your GT account password May be a good idea to change all other passwords 54

55 Questions

Contact Information Jason Belford jason.belford@oit.gatech.edu 404-894-6159 Jimmy Lummis jimmy.lummis@oit.gatech.edu 404-385-0334 support@oit.gatech.edu 56