SlideShare a Scribd company logo

Information security awareness training

Download as PPTX, PDF
Sandeep Taileng, profile picture
Sandeep Taileng

The document provides an agenda for an information security awareness training over two days. Day 1 covers topics such as crown jewels, case studies, and a security survey. Day 2 continues the training with topics on anti-malware software, backups, portable storage devices, passwords, wireless security, phishing, and social media. Definitions and best practices are provided for many of these security topics.

Education
Related topics:
Information Security
1 of 40
Downloaded 56 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Information Security Awareness JULY 2017 DAY1 SANDEEP TAILENG
Day 1:Topics Covered • 10:00 - 10:15 - Greetings • 10:15 – 10:30 –WisdomTree • 10:30 – 11:00 – Crown Jewels • 11:00 – 11:30 –Three Letter Magic • 11:30 – 12:00 – Case Study • 12:00 – 12:30 – InfoSec Survey Day 2:Topics Covered • 10:00 - 10:15 - Greetings • 10:15 - 10:30 - Antivirus software • 10:30 - 10:45 - Backups • 10:45 - 11:00 - Portable Storage Devices • 11:00 - 11:30 Inadequate passwords • 11:30 - 12:00Wireless network security settings • 12:00 - 12:30 - Phishing • 12:30 - 13:00 - Social media Agenda
Wisdom Tree Wisdom Knowledge Information Data South facing traffic lights on corner of George and Pitt Street has turned red Meaning Red, 192.234.235. 245.678Raw I better stop the carApplied The traffic lights I am driving toward has turned red Context
Enterprise • Customer Data • Employee Data • Financial Numbers • IT Infrastructure • Location of DR Site • Business Strategy Personal • Driving License Number • Address • TFN Number • Medical Records • User ID and Passwords • Banking Information Crown Jewels
Why Secure Them • Liability • PrivacyConcerns • CopyrightViolations • IdentityTheft • ResourceViolations • Reputation Protection • Meet Expectations • Laws & Regulations
Three Letter Magic
Three Letter Magic
Case Study What Happened? • Jan 2016: Hackers installed malware into Bangladesh Central Bank computers to prevent workers from discovering the fraudulent transactions quickly. In the case of Bangladesh Bank, the malware subverted the software used to automatically print SWIFT transactions. • Feb 2016: Hackers used SWIFT credentials of Bank employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of NewYork asking the bank to transfer $951 millions of the Bangladesh Bank's funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia. • Thirty transactions worth $851 million were flagged by the banking system for staff review, but five requests were granted; $20 million to Sri Lanka (later recovered), and $81 million lost to the Philippines, entering the Southeast Asian country's banking system on February 5, 2016.This money was laundered through casinos and some later transferred to Hong Kong.
Case Study How was it stopped/discovered? • The hackers misspelled "Foundation" in their request to transfer the funds, spelling the word as "Fundation".This spelling error gained suspicion from Deutsche Bank, a routing bank which put a halt to the transaction in question after seeking clarifications from Bangladesh Bank. • Sri Lanka-based Pan Asia Bank initially took notice of the transaction, with one official noting the transaction as too big for a country like Sri Lanka. Pan Asia Bank was the one which referred the anomalous transaction to Deutsche Bank.The Sri Lankan funds have been recovered by Bangladesh Bank.
Case Study The impact • $81 Millions lost • Unrepairable reputational damage • Loss of trust in global market
Information Security Survey 1. What are your responsibilities for the protection of company assets? a) Assist with the protection and proper use of information assets b) Know the processes to protect information assets c) Build proper security practices into your day d) All of the above d) All of the above
Information Security Survey 2. When sending or forwarding email you should make sure that it does not? a) Create a chain mail situation b) Have an attachment file c) Follow general business practices d) Send to intended recipient a) Create a chain mail situation
Information Security Survey 3. When constructing a password you should? a) You should use your family member name, sports name, pet name and add a number on the end b) Use phrases or misspelled words with embedded numbers and special characters c) Use sequenced letters and numbers from your keyboard d) All of the above b) Use phrases or misspelled words with embedded numbers and special characters
Information Security Survey 4. What would you do if you encountered a security incident? a) Contact your SecurityTeam or General Manager b) Tell a co-worker c) Call the local newspaper d) None of the above a) Contact your SecurityTeam or General Manager
Information Security Survey 5. Who or what is the weakest link in the security chain? a) Internet b) Banking System c) Humans d) Head Office c) Humans
Information Security Survey 6. What is the best password for organisation’s system a) P@sS2 b) Password12345 c) T88Sydn3y d) J*gi97!0q d) J*gi97!0q
Information Security Survey 7. You are on your holidays and one of your staff called you to approve a $5 millions bank transfer.What would you do? a) Unrealistic. I am unreachable on my holidays b) My staff know my password while I am away c) I will ignore the call d) I will call back to the office number and ask the person to authenticate, before taking any action. d) I will call back to the office number and ask the person to authenticate, before taking any action.
Information Security Survey 8. Your kids visited you in your office and wanted to see the server room.What should you do? a) Open the server room and show them the servers b) Ask for permission from the General Manager c) Distract my kids d) Server room is off limit to any unauthorised individuals d) Server room is off limit to any unauthorised individuals
Information Security Survey 9. There is an earthquake in your city and your office is not available.What should you do? a) Call my General Manager / Colleague b) Stay at safe location till any further instructions provided c) Arrive to the identified BCP site d) All of the above d) All of the above
Information Security Survey 10. Information send from my corporate email account is private and no one can look at it? a) True b) False b) False
Information Security Awareness JULY 2017 DAY2 SANDEEP TAILENG
Day 2:Topics Covered • 10:00 - 10:15 - Greetings • 10:15 - 10:30 - Antimalware software • 10:30 - 10:45 - Backups • 10:45 - 11:00 - Portable Storage Devices • 11:00 - 11:30 Inadequate passwords • 11:30 - 12:00 Wireless network security settings • 12:00 - 12:30 - Phishing • 12:30 - 13:00 - Social media Agenda
Some Definitions Viruses • A virus is a computer program intentionally written and released to spread across computers and networks and disrupt your computing experience. • These bad-mannered programs come to your PC through email, the Internet, downloaded files, and files you open on a CD. • Viruses typically work by attaching themselves to another program on your PC, and do not infect the computer until the program runs. Worms • A worm is similar to a program but doesn't need to attach itself to another program to run. • Worms, a sub-class of viruses, are replicated automatically without human help (like an email address book attack). • Worms can bog down networks and web sites.And, the scary part is that you don't have to do anything but turn your computer on! Trojans • ATrojan poses as a legitimate program but is designed to disrupt computing on the PC it infects. It is not designed to spread to other computers. Backdoor Trojans • This type of code allows other computer users to gain access to your computer across the Internet.
Anti Malware Software Definition Anti-malware software is a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like virus, worms, trojans, adware, and more. What is the risk ? • Lock / Delete your data • Use your machine to infect other machines • Steal your personal information • User your machine to launch cyber attacks
Anti Malware Software What to do ? • Compare all Anti malware software available and choose which you can manage • Update your Anti malware software regularly • RunAnti malware scan on your device periodically (at least monthly) • Do not turn it off to install new software. Avast Eset Malwarebytes McAffee Avira Kaspersky AVG
Data Backup Definition A backup, refers to the copying and archiving of computer data so it may be used to restore the original after a data loss event. What is the risk ? • Unable to recover data after its loss, be it by data deletion or corruption. • Unable to recover data from an earlier time Is Backup and Disaster Recovery Same? • No, backup should be part of any disaster recovery plan, backups by themselves should not be considered a complete disaster recovery plan as not all backup systems are able to reconstitute a computer system or other complex configuration.
Data Backup What to do ? • Backup, Backup and more Backup • Backup Medias: • External hard drive • Flash Drive • Cloud Storage • Periodically check that your backup files can be restored.
Portable Storage Devices Definition Portable Storage Devices (PSDs) are small, lightweight, portable devices capable of storing large amounts of data.The most common kinds of PSDs are USB flash drives (also called USB keys or thumb drives), portable external hard drives, tablets (iPad, GalaxyTab), smart phones (iPhone, Android) and some MP3 players (iPod, Zune). Additionally, netbooks are often considered to be PSDs. What is the risk ? • Easy to carry in and out of enterprise • Most of the time no encryption
Portable Storage Devices What to do ? • Scan these devices, prior to use to look for malicious software. • Label these devices indicating their use. • Disable autorun and autoplay features for removable media devices.These automatically open removable media files when it is plugged into your system. • Define procedures for ensuring secure disposal of, or deletion of information from, PSDs. • If possible, encrypt or password protect these devices.
Weak Passwords / PINs Some Facts • Top 5 passwords are 123456, 123456789, qwerty, 12345678, password • Top 5 PINs are 1234, 1111, 0000, 9999, person’s year of birth • Above list is not changed for last five years • Two-thirds of people use no more than two passwords for all their online accounts • When people are asked to include a number in a password, the majority simply add a “1” or a “2” at the end. • The minimum password length experts now recommend to avoid being compromised by brute-force cracking is 13 • About 40% of organizations store privileged and administrative passwords in aWord document or spreadsheet.
Weak Passwords / PINs What to do ? • Where ever possible use 2 factor authentication or biometric • Don't use your login or user name in any form (as-is, reversed, capitalized, doubled, etc.) • Don't use your first, middle, or last name in any form. • Don't use your spouse's, significant other's, children's, friend's, or pet's name in any form. • Don't use other information easily obtained about you, including your date of birth, license plate number, telephone number, social security number, make of your automobile, house address, etc. • Don't use a password of all digits or all the same letter. • Don't use a word contained in English or foreign language dictionaries, spelling lists, acronym or abbreviation lists, or other lists of words. • Don't use a password containing fewer than six characters. • Don't give your password to another person for any reason.
Wireless Network Security Definition A wireless network is a computer network that uses wireless data connections between network devices such as laptops, mobile phones. What is the risk ? • Your neighbour can use free internet • Impersonation • Connected Devices may get attacked
Wireless Network Security What to do ? • ChangeYour RouterAdmin Username and Password • Hide your wireless router (if possible) • Put strong password • Set strongWi-Fi Network Key Security Rank WEP Basic WPA Personal Strong WPA2 Personal Strongest
Phishing Is it fishing or phishing ? “Well the motive is same but the targets are different”
Phishing Definition Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. What is the risk ? • Install Malware • Lock / Delete your data • Use your machine to infect other machines • Steal your personal information • User your machine to launch cyber attacks
Phishing Example
Phishing What to do ? • Learn to Identify Suspected Phishing Emails: They duplicate the image of a real company, Copy the name of a company or an actual employee of the company., Include sites that are visually similar to a real business, Promote gifts, or the loss of an existing account. • Check the Source of Information From Incoming Mail:Your bank will never ask you to send your passwords or personal information by mail. Never respond to these questions, and if you have the slightest doubt, call your bank directly for clarification. • Never Go toYour Bank’sWebsite by Clicking on Links Included in Emails • Enhance the Security ofYour Computer • EnterYour Sensitive Data in SecureWebsites Only (‘https://’) • Periodically CheckYour bank accounts to see any suspicious activity • Phishing KnowsAll Languages: Phishing knows no boundaries, and can reach you in any language. In general, they’re poorly written or translated, so this may be another indicator that something is wrong. • Have the Slightest Doubt, Do Not Risk It
Social media Definition Social media use web-based technologies, desktop computers and mobile technologies (e.g., smartphones and tablet computers) to create highly interactive platforms through which individuals, communities and organizations can share, co-create, discuss, and modify user-generated content or pre-made content posted online What is the risk ? • IDTheft • Social Profile Hacked • Letting Burglars KnowYourWhereabouts • Scams • Malicious Apps
Social media What to do ? • Don’t put accurate personal information such as Date of Birth, Address etc. • Have a strong password • Be careful with your status updates. • Don’t reveal your location. • Check shortened links by hovering your mouse over them before clicking • Activate “Do NotTrack” feature • Avoid posting specific travel plans. Never post when, where, or how long you’ll be gone. • Wait until you are home to post pictures to a vacation album. • Use highest privacy control. Only let certain groups, like a family group, view your photos. • Be selective with the status updates.You can use an audience-selector dropdown menu on Facebook to choose certain groups to see your status updates.
ThankYou

More Related Content

PPTX
Information Security Awareness Training Open
Fred Beck MBA, CPA
 
PDF
Employee Security Awareness Program
davidcurriecia
 
PPSX
Security Awareness Training
William Mann
 
PPTX
Cybersecurity Awareness Training for Employees.pptx
Mustafa Amiri
 
PPTX
Cyber Security Awareness Session for Executives and Non-IT professionals
Krishna Srikanth Manda
 
PDF
Security Awareness Training
Dmitriy Scherbina
 
PDF
End-User Security Awareness
Surya Bathulapalli
 
PPT
Employee Security Training[1]@
R_Yanus
 
Information Security Awareness Training Open
Fred Beck MBA, CPA
 
Employee Security Awareness Program
davidcurriecia
 
Security Awareness Training
William Mann
 
Cybersecurity Awareness Training for Employees.pptx
Mustafa Amiri
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Krishna Srikanth Manda
 
Security Awareness Training
Dmitriy Scherbina
 
End-User Security Awareness
Surya Bathulapalli
 
Employee Security Training[1]@
R_Yanus
 

What's hot (20)

PDF
Cybersecurity Awareness Training Presentation v1.3
DallasHaselhorst
 
PPTX
Security Awareness Training.pptx
MohammedYaseen638128
 
PPTX
Cybersecurity Awareness Training
Dave Monahan
 
PPTX
Hyphenet Security Awareness Training
Jen Ruhman
 
PPTX
Cyber Security Awareness Program.pptx
Dinesh582831
 
PPTX
Awareness Training on Information Security
Ken Holmes
 
PPTX
Security awareness
Josh Chandler
 
PPT
IT Security Awareness-v1.7.ppt
OoXair
 
PDF
Customer information security awareness training
AbdalrhmanTHassan
 
PDF
Cyber security training
Wilmington University
 
PDF
Risks threats and vulnerabilities
Manish Chaurasia
 
PPTX
Cybersecurity Awareness Overview.pptx
sanap6
 
PPTX
Cyber Crisis Management - Kloudlearn
KloudLearn
 
PDF
Physical Security Presentation
Wajahat Rajab
 
PPTX
Network security
fatimasaham
 
PDF
Cybersecurity Employee Training
Paige Rasid
 
PDF
Cyber Security Awareness Training
Buy Custom Papers
 
PPTX
Information Security Awareness
SnapComms
 
PDF
Information Security Awareness Training
Randy Bowman
 
ODP
Cyber security awareness
Jason Murray
 
Cybersecurity Awareness Training Presentation v1.3
DallasHaselhorst
 
Security Awareness Training.pptx
MohammedYaseen638128
 
Cybersecurity Awareness Training
Dave Monahan
 
Hyphenet Security Awareness Training
Jen Ruhman
 
Cyber Security Awareness Program.pptx
Dinesh582831
 
Awareness Training on Information Security
Ken Holmes
 
Security awareness
Josh Chandler
 
IT Security Awareness-v1.7.ppt
OoXair
 
Customer information security awareness training
AbdalrhmanTHassan
 
Cyber security training
Wilmington University
 
Risks threats and vulnerabilities
Manish Chaurasia
 
Cybersecurity Awareness Overview.pptx
sanap6
 
Cyber Crisis Management - Kloudlearn
KloudLearn
 
Physical Security Presentation
Wajahat Rajab
 
Network security
fatimasaham
 
Cybersecurity Employee Training
Paige Rasid
 
Cyber Security Awareness Training
Buy Custom Papers
 
Information Security Awareness
SnapComms
 
Information Security Awareness Training
Randy Bowman
 
Cyber security awareness
Jason Murray
 
Ad

Similar to Information security awareness training (20)

PDF
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
MansoorAhmed57263
 
PPTX
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
PPTX
Iron Bastion: How to Manage Your Clients' Data Responsibly
Gabor Szathmari
 
PPTX
Protect your Database with Data Masking & Enforced Version Control
DBmaestro - Database DevOps
 
PPTX
Cybercrime and the Developer Java2Days 2016 Sofia
Steve Poole
 
PDF
Better to Ask Permission? Best Practices for Privacy and Security
Eric Kavanagh
 
PPTX
Protecting Your IP: Data Security for Software Technology
Shawn Tuma
 
PDF
Data Breaches - Sageworks, Inc., Webinar Series by Douglas Jambor
Turner and Associates, Inc.
 
PPTX
Forensic And Cloud Computing
Mitesh Katira
 
PDF
Security in the News
James Sutter
 
PPTX
The Cloud Beckons, But is it Safe?
Legal Services National Technology Assistance Project (LSNTAP)
 
PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
EC-Council
 
PDF
[Bucharest] Catching up with today's malicious actors
OWASP EEE
 
PPTX
Baking Security into the Company Culture (2017)
Mike Kleviansky
 
PPTX
Simplitfy - Guarding your Data
Erick Solms
 
PDF
2014 ota databreach3
Meg Weber
 
PDF
Needlesand haystacks i360-dublin
Derek King
 
PPTX
Basic_computerHygiene
EricK Gasana
 
PDF
Stackfield Cloud Security 101
Stackfield
 
PPTX
Using Technology and People to Improve your Threat Resistance and Cyber Security
Stephen Cobb
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
MansoorAhmed57263
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
Iron Bastion: How to Manage Your Clients' Data Responsibly
Gabor Szathmari
 
Protect your Database with Data Masking & Enforced Version Control
DBmaestro - Database DevOps
 
Cybercrime and the Developer Java2Days 2016 Sofia
Steve Poole
 
Better to Ask Permission? Best Practices for Privacy and Security
Eric Kavanagh
 
Protecting Your IP: Data Security for Software Technology
Shawn Tuma
 
Data Breaches - Sageworks, Inc., Webinar Series by Douglas Jambor
Turner and Associates, Inc.
 
Forensic And Cloud Computing
Mitesh Katira
 
Security in the News
James Sutter
 
The Cloud Beckons, But is it Safe?
Legal Services National Technology Assistance Project (LSNTAP)
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
EC-Council
 
[Bucharest] Catching up with today's malicious actors
OWASP EEE
 
Baking Security into the Company Culture (2017)
Mike Kleviansky
 
Simplitfy - Guarding your Data
Erick Solms
 
2014 ota databreach3
Meg Weber
 
Needlesand haystacks i360-dublin
Derek King
 
Basic_computerHygiene
EricK Gasana
 
Stackfield Cloud Security 101
Stackfield
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Stephen Cobb
 
Ad

Recently uploaded (20)

PPTX
Revamp in MTO Odoo 18 Inventory - Odoo Slides
Celine George
 
PPTX
Skill Development Program For Physiotherapy Students by SRY.pptx
Prof.Dr.Y.SHANTHOSHRAJA MPT Orthopedic., MSc Microbiology
 
PDF
UTS Health Student Promotional Representative_Position Description.pdf
Faculty of Health, University of Technology Sydney
 
PDF
High Ground Student Revision Booklet Preview
jpinnuck
 
PPTX
How to Manage Starshipit in Odoo 18 - Odoo Slides
Celine George
 
PDF
Module 3: Health Systems Tutorial Slides S2 2025
Jonathan Hallett
 
PPTX
Presentation on Janskhiya sthirata kosh.
Ms Usha Vadhel
 
PPTX
Introduction and Scope of Bichemistry.pptx
shantiyogi
 
PPTX
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
PPTX
Software Engineering BSC DS UNIT 1 .pptx
Dr. Pallawi Bulakh
 
PDF
LDMMIA Reiki Yoga S2 L3 Vod Sample Preview
LDMMia Reiki Lectures
 
PPTX
Open Quiz Monsoon Mind Game Final Set.pptx
Sourav Kr Podder
 
PDF
5.Universal-Franchise-and-Indias-Electoral-System.pdfppt/pdf/8th class social...
Sandeep Swamy
 
PPTX
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PDF
Piense y hagase Rico - Napoleon Hill Ccesa007.pdf
Demetrio Ccesa Rayme
 
PPTX
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
PDF
Cell Biology Basics: Cell Theory, Structure, Types, and Organelles | BS Level...
Miraj Khan
 
PDF
English Language Teaching from Post-.pdf
Aniana Gonzales
 
PDF
LDMMIA Reiki Yoga Workshop 15 MidTerm Review
LDMMia Reiki Lectures
 
PPTX
NOI Hackathon - Summer Edition - GreenThumber.pptx
MartinaBurlando1
 
Revamp in MTO Odoo 18 Inventory - Odoo Slides
Celine George
 
Skill Development Program For Physiotherapy Students by SRY.pptx
Prof.Dr.Y.SHANTHOSHRAJA MPT Orthopedic., MSc Microbiology
 
UTS Health Student Promotional Representative_Position Description.pdf
Faculty of Health, University of Technology Sydney
 
High Ground Student Revision Booklet Preview
jpinnuck
 
How to Manage Starshipit in Odoo 18 - Odoo Slides
Celine George
 
Module 3: Health Systems Tutorial Slides S2 2025
Jonathan Hallett
 
Presentation on Janskhiya sthirata kosh.
Ms Usha Vadhel
 
Introduction and Scope of Bichemistry.pptx
shantiyogi
 
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
Software Engineering BSC DS UNIT 1 .pptx
Dr. Pallawi Bulakh
 
LDMMIA Reiki Yoga S2 L3 Vod Sample Preview
LDMMia Reiki Lectures
 
Open Quiz Monsoon Mind Game Final Set.pptx
Sourav Kr Podder
 
5.Universal-Franchise-and-Indias-Electoral-System.pdfppt/pdf/8th class social...
Sandeep Swamy
 
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
Piense y hagase Rico - Napoleon Hill Ccesa007.pdf
Demetrio Ccesa Rayme
 
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
Cell Biology Basics: Cell Theory, Structure, Types, and Organelles | BS Level...
Miraj Khan
 
English Language Teaching from Post-.pdf
Aniana Gonzales
 
LDMMIA Reiki Yoga Workshop 15 MidTerm Review
LDMMia Reiki Lectures
 
NOI Hackathon - Summer Edition - GreenThumber.pptx
MartinaBurlando1
 

Information security awareness training

  • 1. Information Security Awareness JULY 2017 DAY1 SANDEEP TAILENG
  • 2. Day 1:Topics Covered • 10:00 - 10:15 - Greetings • 10:15 – 10:30 –WisdomTree • 10:30 – 11:00 – Crown Jewels • 11:00 – 11:30 –Three Letter Magic • 11:30 – 12:00 – Case Study • 12:00 – 12:30 – InfoSec Survey Day 2:Topics Covered • 10:00 - 10:15 - Greetings • 10:15 - 10:30 - Antivirus software • 10:30 - 10:45 - Backups • 10:45 - 11:00 - Portable Storage Devices • 11:00 - 11:30 Inadequate passwords • 11:30 - 12:00Wireless network security settings • 12:00 - 12:30 - Phishing • 12:30 - 13:00 - Social media Agenda
  • 3. Wisdom Tree Wisdom Knowledge Information Data South facing traffic lights on corner of George and Pitt Street has turned red Meaning Red, 192.234.235. 245.678Raw I better stop the carApplied The traffic lights I am driving toward has turned red Context
  • 4. Enterprise • Customer Data • Employee Data • Financial Numbers • IT Infrastructure • Location of DR Site • Business Strategy Personal • Driving License Number • Address • TFN Number • Medical Records • User ID and Passwords • Banking Information Crown Jewels
  • 5. Why Secure Them • Liability • PrivacyConcerns • CopyrightViolations • IdentityTheft • ResourceViolations • Reputation Protection • Meet Expectations • Laws & Regulations
  • 8. Case Study What Happened? • Jan 2016: Hackers installed malware into Bangladesh Central Bank computers to prevent workers from discovering the fraudulent transactions quickly. In the case of Bangladesh Bank, the malware subverted the software used to automatically print SWIFT transactions. • Feb 2016: Hackers used SWIFT credentials of Bank employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of NewYork asking the bank to transfer $951 millions of the Bangladesh Bank's funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia. • Thirty transactions worth $851 million were flagged by the banking system for staff review, but five requests were granted; $20 million to Sri Lanka (later recovered), and $81 million lost to the Philippines, entering the Southeast Asian country's banking system on February 5, 2016.This money was laundered through casinos and some later transferred to Hong Kong.
  • 9. Case Study How was it stopped/discovered? • The hackers misspelled "Foundation" in their request to transfer the funds, spelling the word as "Fundation".This spelling error gained suspicion from Deutsche Bank, a routing bank which put a halt to the transaction in question after seeking clarifications from Bangladesh Bank. • Sri Lanka-based Pan Asia Bank initially took notice of the transaction, with one official noting the transaction as too big for a country like Sri Lanka. Pan Asia Bank was the one which referred the anomalous transaction to Deutsche Bank.The Sri Lankan funds have been recovered by Bangladesh Bank.
  • 10. Case Study The impact • $81 Millions lost • Unrepairable reputational damage • Loss of trust in global market
  • 11. Information Security Survey 1. What are your responsibilities for the protection of company assets? a) Assist with the protection and proper use of information assets b) Know the processes to protect information assets c) Build proper security practices into your day d) All of the above d) All of the above
  • 12. Information Security Survey 2. When sending or forwarding email you should make sure that it does not? a) Create a chain mail situation b) Have an attachment file c) Follow general business practices d) Send to intended recipient a) Create a chain mail situation
  • 13. Information Security Survey 3. When constructing a password you should? a) You should use your family member name, sports name, pet name and add a number on the end b) Use phrases or misspelled words with embedded numbers and special characters c) Use sequenced letters and numbers from your keyboard d) All of the above b) Use phrases or misspelled words with embedded numbers and special characters
  • 14. Information Security Survey 4. What would you do if you encountered a security incident? a) Contact your SecurityTeam or General Manager b) Tell a co-worker c) Call the local newspaper d) None of the above a) Contact your SecurityTeam or General Manager
  • 15. Information Security Survey 5. Who or what is the weakest link in the security chain? a) Internet b) Banking System c) Humans d) Head Office c) Humans
  • 16. Information Security Survey 6. What is the best password for organisation’s system a) P@sS2 b) Password12345 c) T88Sydn3y d) J*gi97!0q d) J*gi97!0q
  • 17. Information Security Survey 7. You are on your holidays and one of your staff called you to approve a $5 millions bank transfer.What would you do? a) Unrealistic. I am unreachable on my holidays b) My staff know my password while I am away c) I will ignore the call d) I will call back to the office number and ask the person to authenticate, before taking any action. d) I will call back to the office number and ask the person to authenticate, before taking any action.
  • 18. Information Security Survey 8. Your kids visited you in your office and wanted to see the server room.What should you do? a) Open the server room and show them the servers b) Ask for permission from the General Manager c) Distract my kids d) Server room is off limit to any unauthorised individuals d) Server room is off limit to any unauthorised individuals
  • 19. Information Security Survey 9. There is an earthquake in your city and your office is not available.What should you do? a) Call my General Manager / Colleague b) Stay at safe location till any further instructions provided c) Arrive to the identified BCP site d) All of the above d) All of the above
  • 20. Information Security Survey 10. Information send from my corporate email account is private and no one can look at it? a) True b) False b) False
  • 21. Information Security Awareness JULY 2017 DAY2 SANDEEP TAILENG
  • 22. Day 2:Topics Covered • 10:00 - 10:15 - Greetings • 10:15 - 10:30 - Antimalware software • 10:30 - 10:45 - Backups • 10:45 - 11:00 - Portable Storage Devices • 11:00 - 11:30 Inadequate passwords • 11:30 - 12:00 Wireless network security settings • 12:00 - 12:30 - Phishing • 12:30 - 13:00 - Social media Agenda
  • 23. Some Definitions Viruses • A virus is a computer program intentionally written and released to spread across computers and networks and disrupt your computing experience. • These bad-mannered programs come to your PC through email, the Internet, downloaded files, and files you open on a CD. • Viruses typically work by attaching themselves to another program on your PC, and do not infect the computer until the program runs. Worms • A worm is similar to a program but doesn't need to attach itself to another program to run. • Worms, a sub-class of viruses, are replicated automatically without human help (like an email address book attack). • Worms can bog down networks and web sites.And, the scary part is that you don't have to do anything but turn your computer on! Trojans • ATrojan poses as a legitimate program but is designed to disrupt computing on the PC it infects. It is not designed to spread to other computers. Backdoor Trojans • This type of code allows other computer users to gain access to your computer across the Internet.
  • 24. Anti Malware Software Definition Anti-malware software is a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like virus, worms, trojans, adware, and more. What is the risk ? • Lock / Delete your data • Use your machine to infect other machines • Steal your personal information • User your machine to launch cyber attacks
  • 25. Anti Malware Software What to do ? • Compare all Anti malware software available and choose which you can manage • Update your Anti malware software regularly • RunAnti malware scan on your device periodically (at least monthly) • Do not turn it off to install new software. Avast Eset Malwarebytes McAffee Avira Kaspersky AVG
  • 26. Data Backup Definition A backup, refers to the copying and archiving of computer data so it may be used to restore the original after a data loss event. What is the risk ? • Unable to recover data after its loss, be it by data deletion or corruption. • Unable to recover data from an earlier time Is Backup and Disaster Recovery Same? • No, backup should be part of any disaster recovery plan, backups by themselves should not be considered a complete disaster recovery plan as not all backup systems are able to reconstitute a computer system or other complex configuration.
  • 27. Data Backup What to do ? • Backup, Backup and more Backup • Backup Medias: • External hard drive • Flash Drive • Cloud Storage • Periodically check that your backup files can be restored.
  • 28. Portable Storage Devices Definition Portable Storage Devices (PSDs) are small, lightweight, portable devices capable of storing large amounts of data.The most common kinds of PSDs are USB flash drives (also called USB keys or thumb drives), portable external hard drives, tablets (iPad, GalaxyTab), smart phones (iPhone, Android) and some MP3 players (iPod, Zune). Additionally, netbooks are often considered to be PSDs. What is the risk ? • Easy to carry in and out of enterprise • Most of the time no encryption
  • 29. Portable Storage Devices What to do ? • Scan these devices, prior to use to look for malicious software. • Label these devices indicating their use. • Disable autorun and autoplay features for removable media devices.These automatically open removable media files when it is plugged into your system. • Define procedures for ensuring secure disposal of, or deletion of information from, PSDs. • If possible, encrypt or password protect these devices.
  • 30. Weak Passwords / PINs Some Facts • Top 5 passwords are 123456, 123456789, qwerty, 12345678, password • Top 5 PINs are 1234, 1111, 0000, 9999, person’s year of birth • Above list is not changed for last five years • Two-thirds of people use no more than two passwords for all their online accounts • When people are asked to include a number in a password, the majority simply add a “1” or a “2” at the end. • The minimum password length experts now recommend to avoid being compromised by brute-force cracking is 13 • About 40% of organizations store privileged and administrative passwords in aWord document or spreadsheet.
  • 31. Weak Passwords / PINs What to do ? • Where ever possible use 2 factor authentication or biometric • Don't use your login or user name in any form (as-is, reversed, capitalized, doubled, etc.) • Don't use your first, middle, or last name in any form. • Don't use your spouse's, significant other's, children's, friend's, or pet's name in any form. • Don't use other information easily obtained about you, including your date of birth, license plate number, telephone number, social security number, make of your automobile, house address, etc. • Don't use a password of all digits or all the same letter. • Don't use a word contained in English or foreign language dictionaries, spelling lists, acronym or abbreviation lists, or other lists of words. • Don't use a password containing fewer than six characters. • Don't give your password to another person for any reason.
  • 32. Wireless Network Security Definition A wireless network is a computer network that uses wireless data connections between network devices such as laptops, mobile phones. What is the risk ? • Your neighbour can use free internet • Impersonation • Connected Devices may get attacked
  • 33. Wireless Network Security What to do ? • ChangeYour RouterAdmin Username and Password • Hide your wireless router (if possible) • Put strong password • Set strongWi-Fi Network Key Security Rank WEP Basic WPA Personal Strong WPA2 Personal Strongest
  • 34. Phishing Is it fishing or phishing ? “Well the motive is same but the targets are different”
  • 35. Phishing Definition Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. What is the risk ? • Install Malware • Lock / Delete your data • Use your machine to infect other machines • Steal your personal information • User your machine to launch cyber attacks
  • 37. Phishing What to do ? • Learn to Identify Suspected Phishing Emails: They duplicate the image of a real company, Copy the name of a company or an actual employee of the company., Include sites that are visually similar to a real business, Promote gifts, or the loss of an existing account. • Check the Source of Information From Incoming Mail:Your bank will never ask you to send your passwords or personal information by mail. Never respond to these questions, and if you have the slightest doubt, call your bank directly for clarification. • Never Go toYour Bank’sWebsite by Clicking on Links Included in Emails • Enhance the Security ofYour Computer • EnterYour Sensitive Data in SecureWebsites Only (‘https://’) • Periodically CheckYour bank accounts to see any suspicious activity • Phishing KnowsAll Languages: Phishing knows no boundaries, and can reach you in any language. In general, they’re poorly written or translated, so this may be another indicator that something is wrong. • Have the Slightest Doubt, Do Not Risk It
  • 38. Social media Definition Social media use web-based technologies, desktop computers and mobile technologies (e.g., smartphones and tablet computers) to create highly interactive platforms through which individuals, communities and organizations can share, co-create, discuss, and modify user-generated content or pre-made content posted online What is the risk ? • IDTheft • Social Profile Hacked • Letting Burglars KnowYourWhereabouts • Scams • Malicious Apps
  • 39. Social media What to do ? • Don’t put accurate personal information such as Date of Birth, Address etc. • Have a strong password • Be careful with your status updates. • Don’t reveal your location. • Check shortened links by hovering your mouse over them before clicking • Activate “Do NotTrack” feature • Avoid posting specific travel plans. Never post when, where, or how long you’ll be gone. • Wait until you are home to post pictures to a vacation album. • Use highest privacy control. Only let certain groups, like a family group, view your photos. • Be selective with the status updates.You can use an audience-selector dropdown menu on Facebook to choose certain groups to see your status updates.

Editor's Notes

  • #7: Confidentiality Confidentiality is the protection of information from unauthorized access. This goal of the CIA triad emphasizes the need for information protection. Confidentiality requires measures to ensure that only authorized people are allowed to access the information. For example, confidentiality is maintained for a computer file if authorized users are able to access it, while unauthorized persons are blocked from accessing it. Confidentiality in the CIA triad relates to information security because information security requires control on access to the protected information. Integrity The CIA triad goal of integrity is the condition where information is kept accurate and consistent unless authorized changes are made. It is possible for information to change because of careless access and use, errors in the information system, or unauthorized access and use. In the CIA triad, integrity is maintained when the information remains unchanged during storage, transmission, and usage not involving modification to the information. Integrity relates to information security because accurate and consistent information is a result of proper protection. The CIA triad requires information security measures to monitor and control authorized access, use, and transmission of information. Availability The CIA triad goal of availability is the situation where information is available when and where it is rightly needed. The main concern in the CIA triad is that the information should be available when authorized users need to access it. Availability is maintained when all components of the information system are working properly. Problems in the information system could make it impossible to access information, thereby making the information unavailable. In the CIA triad, availability is linked to information security because effective security measures protect system components and ensuring that information is available.
  • #8: As the first process, authentication provides a way of identifying a user, typically by having the user enter a valid user name and valid password before access is granted. The process of authentication is based on each user having a unique set of criteria for gaining access. The AAA server compares a user's authentication credentials with other user credentials stored in a database. If the credentials match, the user is granted access to the network. If the credentials are at variance, authentication fails and network access is denied. Following authentication, a user must gain authorization for doing certain tasks. After logging into a system, for instance, the user may try to issue commands. The authorization process determines whether the user has the authority to issue such commands. Simply put, authorization is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorization occurs within the context of authentication. Once you have authenticated a user, they may be authorized for different types of access or activity. The final plank in the AAA framework is accounting, which measures the resources a user consumes during access. This can include the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.
  • #25: the first known computer virus appeared in 1971 and was dubbed the "Creeper virus".[5] This computer virus infected Digital Equipment Corporation's (DEC) PDP-10 mainframe computers running the TENEX operating system.[6][7] The Creeper virus was eventually deleted by a program created by Ray Tomlinson and known as "The Reaper".[8] Some people consider "The Reaper" the first antivirus software ever written
  • #26: the first known computer virus appeared in 1971 and was dubbed the "Creeper virus".[5] This computer virus infected Digital Equipment Corporation's (DEC) PDP-10 mainframe computers running the TENEX operating system.[6][7] The Creeper virus was eventually deleted by a program created by Ray Tomlinson and known as "The Reaper".[8] Some people consider "The Reaper" the first antivirus software ever written
  • #27: Data loss can be a common experience of computer users; a 2008 survey found that 66% of respondents had lost files on their home PC.
  • #28: Data loss can be a common experience of computer users; a 2008 survey found that 66% of respondents had lost files on their home PC.
  • #32: Explain how to generate strong password