BUILDING AWARENESS AND AWARENESS PROGRAM - Vasil Tsvimitidze

Georgia NATO
BUILDING AWARENESS AND AWARENESS PROGRAM
Turkey, Ankara 2012
Vasil Tsvimitidze

Common Threats and vulnerabilities 2

Common Threats and vulnerabilities
Types and examples of information security threats

Planning and building of awareness program
Main principles tool and techniques for awareness rising.How to plan information security
awareness program taking to note cultural differences, available resources and objectives.
Hands on development specific awareness program, depending on Georgian practice. Defining
awareness program and identify priorities. Identification of success assessment metrics.
Development or localization materials for government organizations, business companies and
citizens.


There are many information security threats that we need to be constantly aware of and protect
against in order to ensure our sensitive information remains secure. This article details 12
different information security threats that are commonly found, together with some
preventative measures that can be taken.
This article is just one of the many materials that form part of the ’Highway of Threats’
awareness campaign. See the Campaigns section of the site for more details on this.
Unauthorized Access,
Cyber Espionage,
Malware,
Data Leakage,
Mobile Device Attack,
Social Engineering,
Insiders,
Phishing,
System Compromise,
Spam
Denial of Service
Identity Theft.


Unauthorized Access – Enter at your own risk
The attempted or successful access of information or systems, without
permission or rights to do so.
- Ensure you have a properly configured firewall, up to date malware
prevention software and all software has the latest security updates.
- Protect all sensitive information, utilizing encryption where
appropriate, and use strong passwords that are changed regularly.

Cyber Espionage – Hey, get off my network!
The act of spying through the use of computers, involving the covert
access or ‘hacking’ of company or government networks to obtain
sensitive information.
- Be alert for social engineering attempts and verify all requests for
sensitive information.
- Ensure software has the latest security updates, your network is secure
and monitor for unusual network behavior.


Malware – You installed what?!
A collective term for malicious software, such as viruses, worms and
trojans; designed to infiltrate systems and information for
criminal, commercial or destructive purposes.
- Ensure you have a properly configured firewall, up to date malware
prevention and all software has the latest security updates.
- Do not click links or open attachments in emails from unknown
senders, visit un-trusted websites or install dubious software.

Data Leakage – I seek what you leak
The intentional or accidental loss, theft or exposure of sensitive company
or personal information.
- Ensure all sensitive information stored on removable storage
media, mobile devices or laptops is encrypted
- Be mindful of what you post online, check email recipients before
pressing send, and never email sensitive company information to
personal email accounts.


Mobile Device Attack – Lost, but not forgotten
The malicious attack on, or unauthorized access of, mobile devices and
the information stored or processed by them; performed wirelessly or
through physical possession.
- Keep devices with you at all times, encrypt all sensitive data and
removable storage media, and use strong passwords.
- Avoid connecting to insecure, un-trusted public wireless networks and
ensure Bluetooth is in ‘undiscoverable’ mode.

Social Engineering – Go find some other mug
Tricking and manipulating others by phone, email, online or in-
person, into divulging sensitive information, in order to access company
information or systems.
- Verify all requests for sensitive information, no matter how legitimate
they may seem, and never share your passwords with anyone – not even
the helpdesk.
- Never part with sensitive information if in doubt, and report suspected
social engineering attempts immediately.


Insiders – I see bad people
An employee or worker with malicious intent to steal sensitive company
information, commit fraud or cause damage to company systems or
information.
- Ensure access to sensitive information is restricted to only those that
need it and revoke access when no longer required.
- Report all suspicious activity or workers immediately.

Phishing – Think before you link
A form of social engineering, involving the sending of legitimate looking
emails aimed at fraudulently extracting sensitive information from
recipients, usually to gain access to systems or for identity theft.
- Look out for emails containing unexpected or unsolicited requests for
sensitive information, or contextually relevant emails from unknown
senders.
- Never click on suspicious looking links within emails, and report all
suspected phishing attempts immediately.


System Compromise – Only the strong survive
A system that has been attacked and taken over by malicious individuals
or ‘hackers’, usually through the exploitation of one or more
vulnerabilities, and then often used for attacking other systems.
- Plug vulnerable holes by ensuring software has the latest security
updates and any internally developed software is adequately security
reviewed.
- Ensure systems are hardened and configured securely, and regularly
scan them for vulnerabilities.

Spam – Email someone else
Unsolicited email sent in bulk to many individuals, usually for commercial
gain, but increasingly for spreading malware.
- Only give your email to those you trust and never post your address
online for others to view.
- Use a spam filter and never reply to spam emails or click links within
them.


Denial of Service – Are you still there?
An intentional or unintentional attack on a system and the information
stored on it, rendering the system unavailable and inaccessible to
authorized users.
- Securely configure and harden all networks and network equipment
against known DoS attacks.
- Monitor networks through log reviews and the use of intrusion
detection or prevention systems.

Identity Theft – You will never be me
The theft of an unknowing individual’s personal information, in order to
fraudulently assume that individual’s identity to commit a crime, usually
for financial gain.
- Never provide personal information to un-trusted individuals or
websites.
- Ensure personal information is protected when stored and securely
disposed of when no longer needed.

Principles of awareness 10
Main principles tool and techniques for
awareness rising.

Principles of awareness
 Source of threats are people

 Mission of threats are people

 Successful awareness program is combination of Technologies and Capabilities

 Skillful motivated people are key

 It’s the combination of

Marketing + Information Technologies sciences + Public relationship + risk management
And creativity

Risk management 11

 Vulnerability

 Threat

 Risk

 Probability

 Impact

Priority Threat Vulnerability Probability Impact Risk R_ID

Gergian Example 12

 Segmentation
 Government organizations
 Critical infrastructure
 Citizens (gender, age, education etc.)
 Communication Channels
 Internet
 Conferences
 TV
 Printing media
 Meeting and presentations
 Awareness Activity
 Material development
 Results assessment
R_ID Segment Channel Activity Material result Phase

BUILDING AWARENESS AND AWARENESS PROGRAM - Vasil Tsvimitidze

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à BUILDING AWARENESS AND AWARENESS PROGRAM - Vasil Tsvimitidze

Similaire à BUILDING AWARENESS AND AWARENESS PROGRAM - Vasil Tsvimitidze (20)

Dernier

Dernier (20)

BUILDING AWARENESS AND AWARENESS PROGRAM - Vasil Tsvimitidze