SlideShare une entreprise Scribd logo

Information security awareness training

Télécharger en tant que PPTX, PDF
Sandeep Taileng
Sandeep Taileng

Slides to uplift Information Securit Awareness of business staff with minimal IT knowledge.

Formation
1  sur  40
Information Security Awareness JULY 2017 DAY1 SANDEEP TAILENG
Day 1:Topics Covered • 10:00 - 10:15 - Greetings • 10:15 – 10:30 –WisdomTree • 10:30 – 11:00 – Crown Jewels • 11:00 – 11:30 –Three Letter Magic • 11:30 – 12:00 – Case Study • 12:00 – 12:30 – InfoSec Survey Day 2:Topics Covered • 10:00 - 10:15 - Greetings • 10:15 - 10:30 - Antivirus software • 10:30 - 10:45 - Backups • 10:45 - 11:00 - Portable Storage Devices • 11:00 - 11:30 Inadequate passwords • 11:30 - 12:00Wireless network security settings • 12:00 - 12:30 - Phishing • 12:30 - 13:00 - Social media Agenda
Wisdom Tree Wisdom Knowledge Information Data South facing traffic lights on corner of George and Pitt Street has turned red Meaning Red, 192.234.235. 245.678Raw I better stop the carApplied The traffic lights I am driving toward has turned red Context
Enterprise • Customer Data • Employee Data • Financial Numbers • IT Infrastructure • Location of DR Site • Business Strategy Personal • Driving License Number • Address • TFN Number • Medical Records • User ID and Passwords • Banking Information Crown Jewels
Why Secure Them • Liability • PrivacyConcerns • CopyrightViolations • IdentityTheft • ResourceViolations • Reputation Protection • Meet Expectations • Laws & Regulations
Three Letter Magic
Three Letter Magic
Case Study What Happened? • Jan 2016: Hackers installed malware into Bangladesh Central Bank computers to prevent workers from discovering the fraudulent transactions quickly. In the case of Bangladesh Bank, the malware subverted the software used to automatically print SWIFT transactions. • Feb 2016: Hackers used SWIFT credentials of Bank employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of NewYork asking the bank to transfer $951 millions of the Bangladesh Bank's funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia. • Thirty transactions worth $851 million were flagged by the banking system for staff review, but five requests were granted; $20 million to Sri Lanka (later recovered), and $81 million lost to the Philippines, entering the Southeast Asian country's banking system on February 5, 2016.This money was laundered through casinos and some later transferred to Hong Kong.
Case Study How was it stopped/discovered? • The hackers misspelled "Foundation" in their request to transfer the funds, spelling the word as "Fundation".This spelling error gained suspicion from Deutsche Bank, a routing bank which put a halt to the transaction in question after seeking clarifications from Bangladesh Bank. • Sri Lanka-based Pan Asia Bank initially took notice of the transaction, with one official noting the transaction as too big for a country like Sri Lanka. Pan Asia Bank was the one which referred the anomalous transaction to Deutsche Bank.The Sri Lankan funds have been recovered by Bangladesh Bank.
Case Study The impact • $81 Millions lost • Unrepairable reputational damage • Loss of trust in global market
Information Security Survey 1. What are your responsibilities for the protection of company assets? a) Assist with the protection and proper use of information assets b) Know the processes to protect information assets c) Build proper security practices into your day d) All of the above d) All of the above
Information Security Survey 2. When sending or forwarding email you should make sure that it does not? a) Create a chain mail situation b) Have an attachment file c) Follow general business practices d) Send to intended recipient a) Create a chain mail situation
Information Security Survey 3. When constructing a password you should? a) You should use your family member name, sports name, pet name and add a number on the end b) Use phrases or misspelled words with embedded numbers and special characters c) Use sequenced letters and numbers from your keyboard d) All of the above b) Use phrases or misspelled words with embedded numbers and special characters
Information Security Survey 4. What would you do if you encountered a security incident? a) Contact your SecurityTeam or General Manager b) Tell a co-worker c) Call the local newspaper d) None of the above a) Contact your SecurityTeam or General Manager
Information Security Survey 5. Who or what is the weakest link in the security chain? a) Internet b) Banking System c) Humans d) Head Office c) Humans
Information Security Survey 6. What is the best password for organisation’s system a) P@sS2 b) Password12345 c) T88Sydn3y d) J*gi97!0q d) J*gi97!0q
Information Security Survey 7. You are on your holidays and one of your staff called you to approve a $5 millions bank transfer.What would you do? a) Unrealistic. I am unreachable on my holidays b) My staff know my password while I am away c) I will ignore the call d) I will call back to the office number and ask the person to authenticate, before taking any action. d) I will call back to the office number and ask the person to authenticate, before taking any action.
Information Security Survey 8. Your kids visited you in your office and wanted to see the server room.What should you do? a) Open the server room and show them the servers b) Ask for permission from the General Manager c) Distract my kids d) Server room is off limit to any unauthorised individuals d) Server room is off limit to any unauthorised individuals
Information Security Survey 9. There is an earthquake in your city and your office is not available.What should you do? a) Call my General Manager / Colleague b) Stay at safe location till any further instructions provided c) Arrive to the identified BCP site d) All of the above d) All of the above
Information Security Survey 10. Information send from my corporate email account is private and no one can look at it? a) True b) False b) False
Information Security Awareness JULY 2017 DAY2 SANDEEP TAILENG
Day 2:Topics Covered • 10:00 - 10:15 - Greetings • 10:15 - 10:30 - Antimalware software • 10:30 - 10:45 - Backups • 10:45 - 11:00 - Portable Storage Devices • 11:00 - 11:30 Inadequate passwords • 11:30 - 12:00 Wireless network security settings • 12:00 - 12:30 - Phishing • 12:30 - 13:00 - Social media Agenda
Some Definitions Viruses • A virus is a computer program intentionally written and released to spread across computers and networks and disrupt your computing experience. • These bad-mannered programs come to your PC through email, the Internet, downloaded files, and files you open on a CD. • Viruses typically work by attaching themselves to another program on your PC, and do not infect the computer until the program runs. Worms • A worm is similar to a program but doesn't need to attach itself to another program to run. • Worms, a sub-class of viruses, are replicated automatically without human help (like an email address book attack). • Worms can bog down networks and web sites.And, the scary part is that you don't have to do anything but turn your computer on! Trojans • ATrojan poses as a legitimate program but is designed to disrupt computing on the PC it infects. It is not designed to spread to other computers. Backdoor Trojans • This type of code allows other computer users to gain access to your computer across the Internet.
Anti Malware Software Definition Anti-malware software is a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like virus, worms, trojans, adware, and more. What is the risk ? • Lock / Delete your data • Use your machine to infect other machines • Steal your personal information • User your machine to launch cyber attacks
Anti Malware Software What to do ? • Compare all Anti malware software available and choose which you can manage • Update your Anti malware software regularly • RunAnti malware scan on your device periodically (at least monthly) • Do not turn it off to install new software. Avast Eset Malwarebytes McAffee Avira Kaspersky AVG
Data Backup Definition A backup, refers to the copying and archiving of computer data so it may be used to restore the original after a data loss event. What is the risk ? • Unable to recover data after its loss, be it by data deletion or corruption. • Unable to recover data from an earlier time Is Backup and Disaster Recovery Same? • No, backup should be part of any disaster recovery plan, backups by themselves should not be considered a complete disaster recovery plan as not all backup systems are able to reconstitute a computer system or other complex configuration.
Data Backup What to do ? • Backup, Backup and more Backup • Backup Medias: • External hard drive • Flash Drive • Cloud Storage • Periodically check that your backup files can be restored.
Portable Storage Devices Definition Portable Storage Devices (PSDs) are small, lightweight, portable devices capable of storing large amounts of data.The most common kinds of PSDs are USB flash drives (also called USB keys or thumb drives), portable external hard drives, tablets (iPad, GalaxyTab), smart phones (iPhone, Android) and some MP3 players (iPod, Zune). Additionally, netbooks are often considered to be PSDs. What is the risk ? • Easy to carry in and out of enterprise • Most of the time no encryption
Portable Storage Devices What to do ? • Scan these devices, prior to use to look for malicious software. • Label these devices indicating their use. • Disable autorun and autoplay features for removable media devices.These automatically open removable media files when it is plugged into your system. • Define procedures for ensuring secure disposal of, or deletion of information from, PSDs. • If possible, encrypt or password protect these devices.
Weak Passwords / PINs Some Facts • Top 5 passwords are 123456, 123456789, qwerty, 12345678, password • Top 5 PINs are 1234, 1111, 0000, 9999, person’s year of birth • Above list is not changed for last five years • Two-thirds of people use no more than two passwords for all their online accounts • When people are asked to include a number in a password, the majority simply add a “1” or a “2” at the end. • The minimum password length experts now recommend to avoid being compromised by brute-force cracking is 13 • About 40% of organizations store privileged and administrative passwords in aWord document or spreadsheet.
Weak Passwords / PINs What to do ? • Where ever possible use 2 factor authentication or biometric • Don't use your login or user name in any form (as-is, reversed, capitalized, doubled, etc.) • Don't use your first, middle, or last name in any form. • Don't use your spouse's, significant other's, children's, friend's, or pet's name in any form. • Don't use other information easily obtained about you, including your date of birth, license plate number, telephone number, social security number, make of your automobile, house address, etc. • Don't use a password of all digits or all the same letter. • Don't use a word contained in English or foreign language dictionaries, spelling lists, acronym or abbreviation lists, or other lists of words. • Don't use a password containing fewer than six characters. • Don't give your password to another person for any reason.
Wireless Network Security Definition A wireless network is a computer network that uses wireless data connections between network devices such as laptops, mobile phones. What is the risk ? • Your neighbour can use free internet • Impersonation • Connected Devices may get attacked
Wireless Network Security What to do ? • ChangeYour RouterAdmin Username and Password • Hide your wireless router (if possible) • Put strong password • Set strongWi-Fi Network Key Security Rank WEP Basic WPA Personal Strong WPA2 Personal Strongest
Phishing Is it fishing or phishing ? “Well the motive is same but the targets are different”
Phishing Definition Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. What is the risk ? • Install Malware • Lock / Delete your data • Use your machine to infect other machines • Steal your personal information • User your machine to launch cyber attacks
Phishing Example
Phishing What to do ? • Learn to Identify Suspected Phishing Emails: They duplicate the image of a real company, Copy the name of a company or an actual employee of the company., Include sites that are visually similar to a real business, Promote gifts, or the loss of an existing account. • Check the Source of Information From Incoming Mail:Your bank will never ask you to send your passwords or personal information by mail. Never respond to these questions, and if you have the slightest doubt, call your bank directly for clarification. • Never Go toYour Bank’sWebsite by Clicking on Links Included in Emails • Enhance the Security ofYour Computer • EnterYour Sensitive Data in SecureWebsites Only (‘https://’) • Periodically CheckYour bank accounts to see any suspicious activity • Phishing KnowsAll Languages: Phishing knows no boundaries, and can reach you in any language. In general, they’re poorly written or translated, so this may be another indicator that something is wrong. • Have the Slightest Doubt, Do Not Risk It
Social media Definition Social media use web-based technologies, desktop computers and mobile technologies (e.g., smartphones and tablet computers) to create highly interactive platforms through which individuals, communities and organizations can share, co-create, discuss, and modify user-generated content or pre-made content posted online What is the risk ? • IDTheft • Social Profile Hacked • Letting Burglars KnowYourWhereabouts • Scams • Malicious Apps
Social media What to do ? • Don’t put accurate personal information such as Date of Birth, Address etc. • Have a strong password • Be careful with your status updates. • Don’t reveal your location. • Check shortened links by hovering your mouse over them before clicking • Activate “Do NotTrack” feature • Avoid posting specific travel plans. Never post when, where, or how long you’ll be gone. • Wait until you are home to post pictures to a vacation album. • Use highest privacy control. Only let certain groups, like a family group, view your photos. • Be selective with the status updates.You can use an audience-selector dropdown menu on Facebook to choose certain groups to see your status updates.
ThankYou

Recommandé

Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training Open
Fred Beck MBA, CPA
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
Ken Holmes
 
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
David Menken
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier University
Atlantic Training, LLC.
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101
mateenzero
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
R_Yanus
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
Krishna Srikanth Manda
 

Recommandé

Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training Open
Fred Beck MBA, CPA
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
Ken Holmes
 
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
David Menken
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier University
Atlantic Training, LLC.
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101
mateenzero
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
R_Yanus
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
Krishna Srikanth Manda
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
Atlantic Training, LLC.
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
davidcurriecia
 
Security awareness
Security awarenessSecurity awareness
Security awareness
Josh Chandler
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
Community IT Innovators
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Dmitriy Scherbina
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
Dave Monahan
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
SnapComms
 
Security Awareness Training.pptx
Security Awareness Training.pptxSecurity Awareness Training.pptx
Security Awareness Training.pptx
MohammedYaseen638128
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
Michel Bitter
 
ICT and end user security awareness slides
ICT and end user security awareness slidesICT and end user security awareness slides
ICT and end user security awareness slides
jubke
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
Atlantic Training, LLC.
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
Paige Rasid
 
Securityawareness
SecurityawarenessSecurityawareness
Securityawareness
JayfErika
 
Cyber security training
Cyber security trainingCyber security training
Cyber security training
Wilmington University
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
hubbargf
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
Jen Ruhman
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness Program
Bill Gardner
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community College
Atlantic Training, LLC.
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
MansoorAhmed57263
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
OoXair
 

Contenu connexe

Tendances

Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
Atlantic Training, LLC.
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community College
Atlantic Training, LLC.
 

Tendances (20)

Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
 
Security awareness
Security awarenessSecurity awareness
Security awareness
 
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Security Awareness Training.pptx
Security Awareness Training.pptxSecurity Awareness Training.pptx
Security Awareness Training.pptx
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
 
ICT and end user security awareness slides
ICT and end user security awareness slidesICT and end user security awareness slides
ICT and end user security awareness slides
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
 
Securityawareness
SecurityawarenessSecurityawareness
Securityawareness
 
Cyber security training
Cyber security trainingCyber security training
Cyber security training
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness Program
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community College
 

Similaire à Information security awareness training

itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
MansoorAhmed57263
 
Better to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityBetter to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and Security
Eric Kavanagh
 
Security in the News
Security in the NewsSecurity in the News
Security in the News
James Sutter
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
EC-Council
 
Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017) Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017)
Mike Kleviansky
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
Meg Weber
 
Basic_computerHygiene
Basic_computerHygieneBasic_computerHygiene
Basic_computerHygiene
EricK Gasana
 

Similaire à Information security awareness training (20)

itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 
Iron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data ResponsiblyIron Bastion: How to Manage Your Clients' Data Responsibly
Iron Bastion: How to Manage Your Clients' Data Responsibly
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control
 
Cybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 SofiaCybercrime and the Developer Java2Days 2016 Sofia
Cybercrime and the Developer Java2Days 2016 Sofia
 
Better to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityBetter to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and Security
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software Technology
 
Data Breaches - Sageworks, Inc., Webinar Series by Douglas Jambor
Data Breaches - Sageworks, Inc., Webinar Series by Douglas JamborData Breaches - Sageworks, Inc., Webinar Series by Douglas Jambor
Data Breaches - Sageworks, Inc., Webinar Series by Douglas Jambor
 
Forensic And Cloud Computing
Forensic And Cloud ComputingForensic And Cloud Computing
Forensic And Cloud Computing
 
Security in the News
Security in the NewsSecurity in the News
Security in the News
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors[Bucharest] Catching up with today's malicious actors
[Bucharest] Catching up with today's malicious actors
 
Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017) Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017)
 
Simplitfy - Guarding your Data
Simplitfy - Guarding your DataSimplitfy - Guarding your Data
Simplitfy - Guarding your Data
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
Basic_computerHygiene
Basic_computerHygieneBasic_computerHygiene
Basic_computerHygiene
 
Stackfield Cloud Security 101
Stackfield Cloud Security 101Stackfield Cloud Security 101
Stackfield Cloud Security 101
 

Dernier

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
SanaAli374401
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
MateoGardella
 

Dernier (20)

Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 

Information security awareness training

  • 1. Information Security Awareness JULY 2017 DAY1 SANDEEP TAILENG
  • 2. Day 1:Topics Covered • 10:00 - 10:15 - Greetings • 10:15 – 10:30 –WisdomTree • 10:30 – 11:00 – Crown Jewels • 11:00 – 11:30 –Three Letter Magic • 11:30 – 12:00 – Case Study • 12:00 – 12:30 – InfoSec Survey Day 2:Topics Covered • 10:00 - 10:15 - Greetings • 10:15 - 10:30 - Antivirus software • 10:30 - 10:45 - Backups • 10:45 - 11:00 - Portable Storage Devices • 11:00 - 11:30 Inadequate passwords • 11:30 - 12:00Wireless network security settings • 12:00 - 12:30 - Phishing • 12:30 - 13:00 - Social media Agenda
  • 3. Wisdom Tree Wisdom Knowledge Information Data South facing traffic lights on corner of George and Pitt Street has turned red Meaning Red, 192.234.235. 245.678Raw I better stop the carApplied The traffic lights I am driving toward has turned red Context
  • 4. Enterprise • Customer Data • Employee Data • Financial Numbers • IT Infrastructure • Location of DR Site • Business Strategy Personal • Driving License Number • Address • TFN Number • Medical Records • User ID and Passwords • Banking Information Crown Jewels
  • 5. Why Secure Them • Liability • PrivacyConcerns • CopyrightViolations • IdentityTheft • ResourceViolations • Reputation Protection • Meet Expectations • Laws & Regulations
  • 8. Case Study What Happened? • Jan 2016: Hackers installed malware into Bangladesh Central Bank computers to prevent workers from discovering the fraudulent transactions quickly. In the case of Bangladesh Bank, the malware subverted the software used to automatically print SWIFT transactions. • Feb 2016: Hackers used SWIFT credentials of Bank employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of NewYork asking the bank to transfer $951 millions of the Bangladesh Bank's funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia. • Thirty transactions worth $851 million were flagged by the banking system for staff review, but five requests were granted; $20 million to Sri Lanka (later recovered), and $81 million lost to the Philippines, entering the Southeast Asian country's banking system on February 5, 2016.This money was laundered through casinos and some later transferred to Hong Kong.
  • 9. Case Study How was it stopped/discovered? • The hackers misspelled "Foundation" in their request to transfer the funds, spelling the word as "Fundation".This spelling error gained suspicion from Deutsche Bank, a routing bank which put a halt to the transaction in question after seeking clarifications from Bangladesh Bank. • Sri Lanka-based Pan Asia Bank initially took notice of the transaction, with one official noting the transaction as too big for a country like Sri Lanka. Pan Asia Bank was the one which referred the anomalous transaction to Deutsche Bank.The Sri Lankan funds have been recovered by Bangladesh Bank.
  • 10. Case Study The impact • $81 Millions lost • Unrepairable reputational damage • Loss of trust in global market
  • 11. Information Security Survey 1. What are your responsibilities for the protection of company assets? a) Assist with the protection and proper use of information assets b) Know the processes to protect information assets c) Build proper security practices into your day d) All of the above d) All of the above
  • 12. Information Security Survey 2. When sending or forwarding email you should make sure that it does not? a) Create a chain mail situation b) Have an attachment file c) Follow general business practices d) Send to intended recipient a) Create a chain mail situation
  • 13. Information Security Survey 3. When constructing a password you should? a) You should use your family member name, sports name, pet name and add a number on the end b) Use phrases or misspelled words with embedded numbers and special characters c) Use sequenced letters and numbers from your keyboard d) All of the above b) Use phrases or misspelled words with embedded numbers and special characters
  • 14. Information Security Survey 4. What would you do if you encountered a security incident? a) Contact your SecurityTeam or General Manager b) Tell a co-worker c) Call the local newspaper d) None of the above a) Contact your SecurityTeam or General Manager
  • 15. Information Security Survey 5. Who or what is the weakest link in the security chain? a) Internet b) Banking System c) Humans d) Head Office c) Humans
  • 16. Information Security Survey 6. What is the best password for organisation’s system a) P@sS2 b) Password12345 c) T88Sydn3y d) J*gi97!0q d) J*gi97!0q
  • 17. Information Security Survey 7. You are on your holidays and one of your staff called you to approve a $5 millions bank transfer.What would you do? a) Unrealistic. I am unreachable on my holidays b) My staff know my password while I am away c) I will ignore the call d) I will call back to the office number and ask the person to authenticate, before taking any action. d) I will call back to the office number and ask the person to authenticate, before taking any action.
  • 18. Information Security Survey 8. Your kids visited you in your office and wanted to see the server room.What should you do? a) Open the server room and show them the servers b) Ask for permission from the General Manager c) Distract my kids d) Server room is off limit to any unauthorised individuals d) Server room is off limit to any unauthorised individuals
  • 19. Information Security Survey 9. There is an earthquake in your city and your office is not available.What should you do? a) Call my General Manager / Colleague b) Stay at safe location till any further instructions provided c) Arrive to the identified BCP site d) All of the above d) All of the above
  • 20. Information Security Survey 10. Information send from my corporate email account is private and no one can look at it? a) True b) False b) False
  • 21. Information Security Awareness JULY 2017 DAY2 SANDEEP TAILENG
  • 22. Day 2:Topics Covered • 10:00 - 10:15 - Greetings • 10:15 - 10:30 - Antimalware software • 10:30 - 10:45 - Backups • 10:45 - 11:00 - Portable Storage Devices • 11:00 - 11:30 Inadequate passwords • 11:30 - 12:00 Wireless network security settings • 12:00 - 12:30 - Phishing • 12:30 - 13:00 - Social media Agenda
  • 23. Some Definitions Viruses • A virus is a computer program intentionally written and released to spread across computers and networks and disrupt your computing experience. • These bad-mannered programs come to your PC through email, the Internet, downloaded files, and files you open on a CD. • Viruses typically work by attaching themselves to another program on your PC, and do not infect the computer until the program runs. Worms • A worm is similar to a program but doesn't need to attach itself to another program to run. • Worms, a sub-class of viruses, are replicated automatically without human help (like an email address book attack). • Worms can bog down networks and web sites.And, the scary part is that you don't have to do anything but turn your computer on! Trojans • ATrojan poses as a legitimate program but is designed to disrupt computing on the PC it infects. It is not designed to spread to other computers. Backdoor Trojans • This type of code allows other computer users to gain access to your computer across the Internet.
  • 24. Anti Malware Software Definition Anti-malware software is a program or set of programs that are designed to prevent, search for, detect, and remove software viruses, and other malicious software like virus, worms, trojans, adware, and more. What is the risk ? • Lock / Delete your data • Use your machine to infect other machines • Steal your personal information • User your machine to launch cyber attacks
  • 25. Anti Malware Software What to do ? • Compare all Anti malware software available and choose which you can manage • Update your Anti malware software regularly • RunAnti malware scan on your device periodically (at least monthly) • Do not turn it off to install new software. Avast Eset Malwarebytes McAffee Avira Kaspersky AVG
  • 26. Data Backup Definition A backup, refers to the copying and archiving of computer data so it may be used to restore the original after a data loss event. What is the risk ? • Unable to recover data after its loss, be it by data deletion or corruption. • Unable to recover data from an earlier time Is Backup and Disaster Recovery Same? • No, backup should be part of any disaster recovery plan, backups by themselves should not be considered a complete disaster recovery plan as not all backup systems are able to reconstitute a computer system or other complex configuration.
  • 27. Data Backup What to do ? • Backup, Backup and more Backup • Backup Medias: • External hard drive • Flash Drive • Cloud Storage • Periodically check that your backup files can be restored.
  • 28. Portable Storage Devices Definition Portable Storage Devices (PSDs) are small, lightweight, portable devices capable of storing large amounts of data.The most common kinds of PSDs are USB flash drives (also called USB keys or thumb drives), portable external hard drives, tablets (iPad, GalaxyTab), smart phones (iPhone, Android) and some MP3 players (iPod, Zune). Additionally, netbooks are often considered to be PSDs. What is the risk ? • Easy to carry in and out of enterprise • Most of the time no encryption
  • 29. Portable Storage Devices What to do ? • Scan these devices, prior to use to look for malicious software. • Label these devices indicating their use. • Disable autorun and autoplay features for removable media devices.These automatically open removable media files when it is plugged into your system. • Define procedures for ensuring secure disposal of, or deletion of information from, PSDs. • If possible, encrypt or password protect these devices.
  • 30. Weak Passwords / PINs Some Facts • Top 5 passwords are 123456, 123456789, qwerty, 12345678, password • Top 5 PINs are 1234, 1111, 0000, 9999, person’s year of birth • Above list is not changed for last five years • Two-thirds of people use no more than two passwords for all their online accounts • When people are asked to include a number in a password, the majority simply add a “1” or a “2” at the end. • The minimum password length experts now recommend to avoid being compromised by brute-force cracking is 13 • About 40% of organizations store privileged and administrative passwords in aWord document or spreadsheet.
  • 31. Weak Passwords / PINs What to do ? • Where ever possible use 2 factor authentication or biometric • Don't use your login or user name in any form (as-is, reversed, capitalized, doubled, etc.) • Don't use your first, middle, or last name in any form. • Don't use your spouse's, significant other's, children's, friend's, or pet's name in any form. • Don't use other information easily obtained about you, including your date of birth, license plate number, telephone number, social security number, make of your automobile, house address, etc. • Don't use a password of all digits or all the same letter. • Don't use a word contained in English or foreign language dictionaries, spelling lists, acronym or abbreviation lists, or other lists of words. • Don't use a password containing fewer than six characters. • Don't give your password to another person for any reason.
  • 32. Wireless Network Security Definition A wireless network is a computer network that uses wireless data connections between network devices such as laptops, mobile phones. What is the risk ? • Your neighbour can use free internet • Impersonation • Connected Devices may get attacked
  • 33. Wireless Network Security What to do ? • ChangeYour RouterAdmin Username and Password • Hide your wireless router (if possible) • Put strong password • Set strongWi-Fi Network Key Security Rank WEP Basic WPA Personal Strong WPA2 Personal Strongest
  • 34. Phishing Is it fishing or phishing ? “Well the motive is same but the targets are different”
  • 35. Phishing Definition Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. What is the risk ? • Install Malware • Lock / Delete your data • Use your machine to infect other machines • Steal your personal information • User your machine to launch cyber attacks
  • 37. Phishing What to do ? • Learn to Identify Suspected Phishing Emails: They duplicate the image of a real company, Copy the name of a company or an actual employee of the company., Include sites that are visually similar to a real business, Promote gifts, or the loss of an existing account. • Check the Source of Information From Incoming Mail:Your bank will never ask you to send your passwords or personal information by mail. Never respond to these questions, and if you have the slightest doubt, call your bank directly for clarification. • Never Go toYour Bank’sWebsite by Clicking on Links Included in Emails • Enhance the Security ofYour Computer • EnterYour Sensitive Data in SecureWebsites Only (‘https://’) • Periodically CheckYour bank accounts to see any suspicious activity • Phishing KnowsAll Languages: Phishing knows no boundaries, and can reach you in any language. In general, they’re poorly written or translated, so this may be another indicator that something is wrong. • Have the Slightest Doubt, Do Not Risk It
  • 38. Social media Definition Social media use web-based technologies, desktop computers and mobile technologies (e.g., smartphones and tablet computers) to create highly interactive platforms through which individuals, communities and organizations can share, co-create, discuss, and modify user-generated content or pre-made content posted online What is the risk ? • IDTheft • Social Profile Hacked • Letting Burglars KnowYourWhereabouts • Scams • Malicious Apps
  • 39. Social media What to do ? • Don’t put accurate personal information such as Date of Birth, Address etc. • Have a strong password • Be careful with your status updates. • Don’t reveal your location. • Check shortened links by hovering your mouse over them before clicking • Activate “Do NotTrack” feature • Avoid posting specific travel plans. Never post when, where, or how long you’ll be gone. • Wait until you are home to post pictures to a vacation album. • Use highest privacy control. Only let certain groups, like a family group, view your photos. • Be selective with the status updates.You can use an audience-selector dropdown menu on Facebook to choose certain groups to see your status updates.

Notes de l'éditeur

  1. Confidentiality Confidentiality is the protection of information from unauthorized access. This goal of the CIA triad emphasizes the need for information protection. Confidentiality requires measures to ensure that only authorized people are allowed to access the information. For example, confidentiality is maintained for a computer file if authorized users are able to access it, while unauthorized persons are blocked from accessing it. Confidentiality in the CIA triad relates to information security because information security requires control on access to the protected information. Integrity The CIA triad goal of integrity is the condition where information is kept accurate and consistent unless authorized changes are made. It is possible for information to change because of careless access and use, errors in the information system, or unauthorized access and use. In the CIA triad, integrity is maintained when the information remains unchanged during storage, transmission, and usage not involving modification to the information. Integrity relates to information security because accurate and consistent information is a result of proper protection. The CIA triad requires information security measures to monitor and control authorized access, use, and transmission of information. Availability The CIA triad goal of availability is the situation where information is available when and where it is rightly needed. The main concern in the CIA triad is that the information should be available when authorized users need to access it. Availability is maintained when all components of the information system are working properly. Problems in the information system could make it impossible to access information, thereby making the information unavailable. In the CIA triad, availability is linked to information security because effective security measures protect system components and ensuring that information is available.
  2. As the first process, authentication provides a way of identifying a user, typically by having the user enter a valid user name and valid password before access is granted. The process of authentication is based on each user having a unique set of criteria for gaining access. The AAA server compares a user's authentication credentials with other user credentials stored in a database. If the credentials match, the user is granted access to the network. If the credentials are at variance, authentication fails and network access is denied. Following authentication, a user must gain authorization for doing certain tasks. After logging into a system, for instance, the user may try to issue commands. The authorization process determines whether the user has the authority to issue such commands. Simply put, authorization is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorization occurs within the context of authentication. Once you have authenticated a user, they may be authorized for different types of access or activity. The final plank in the AAA framework is accounting, which measures the resources a user consumes during access. This can include the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.
  3. the first known computer virus appeared in 1971 and was dubbed the "Creeper virus".[5] This computer virus infected Digital Equipment Corporation's (DEC) PDP-10 mainframe computers running the TENEX operating system.[6][7] The Creeper virus was eventually deleted by a program created by Ray Tomlinson and known as "The Reaper".[8] Some people consider "The Reaper" the first antivirus software ever written
  4. the first known computer virus appeared in 1971 and was dubbed the "Creeper virus".[5] This computer virus infected Digital Equipment Corporation's (DEC) PDP-10 mainframe computers running the TENEX operating system.[6][7] The Creeper virus was eventually deleted by a program created by Ray Tomlinson and known as "The Reaper".[8] Some people consider "The Reaper" the first antivirus software ever written
  5. Data loss can be a common experience of computer users; a 2008 survey found that 66% of respondents had lost files on their home PC.
  6. Data loss can be a common experience of computer users; a 2008 survey found that 66% of respondents had lost files on their home PC.
  7. Explain how to generate strong password