14. Top Tips to Avoid Phishing
Check who the email sender is.
Check the email for grammar and spelling
Mouse over the link to see where it goes.
Do not click the link – manually type it in.
16. • Manipulation of people into divulging
confidential or sensitive information
• Most commonly done over email, but
also regularly carried out over the phone
17. • Can be a slow gain of information
• Can attempt to gain all information
needed at once
18. • Phone call targets employees at
• Caller asks who the boss/CEO is.
• Requests his/her email address.
• Now the attacker has the username
and the name of the person targeted for
Social Engineering Examples
19. • A person walks into office
pretending to be a contractor.
• Due to his/her uniform, people
assume it’s OK.
• Person walks into room with
sensitive info and steals it.
Social Engineering Examples
20. Top Tips to Avoid Social Engineering
Be careful with the information
Verify credentials of contractors.
If you have any doubts on the
identity of callers, hang up and
call their official company
22. • What city did you grow up in?
• What is your dog’s name?
• What high school did you attend?
• What is your favorite book?
• What is your dream job?
• What is your mother’s maiden name?
Can these answers be found on your Facebook account?
25. • Typically, users are honest when filling out
• Malicious parties can utilize social media to
find out the answers to these questions,
which allows them to reset your password.
• Best practice is to not be honest when filling
out these questions. Treat security questions
as another password field.
26. • Typically, users practice risky behavior
with respect to passwords.
• Passwords nowadays can be a gateway
into identity theft.
Users and Poor Password Hygiene
31. • Passwords sometimes are extracted
• Very simple to try all alternative
options of password-base
Data breaches lead to password problems because…
• Password that was stolen was elephant
• Password required by website is 8 characters 1 symbol
• 32 symbols on the computer(would take a human 5 minutes)
• Computers can carry out these tasks in fractions of a second
32. • If you have trouble remembering passwords
or creating unique passwords, utilize
a password manager.
• There are several very secure password managers
on the market that work across all Oses.
• They will remember and auto-complete your
passwords for you once your “master” password
34. • As opposed to the standard password
authentication, 2FA OTP (one-time
password) uses two elements. These are
“something that user knows,” such as a
password or a PIN code, and “something
that user has,” typically a mobile phone or
• Used in combination, they provide greatly
enhanced security for data access.
Two-factor Authentication (2FA) Explained
35. • Data breach through weak or stolen passwords
• User-created passwords that are not random
• Re-use of passwords intended for access to
company assets for private accounts
• Passwords containing user-specific data – e.g.
name, date of birth
• Simple patterns to derive new passwords, such as
“elephant1,” “elephant2,” etc.
2FA solves the problem of:
36. Top Tips for Password Safety
Utilize unique passwords across
Enable and utilize 2FA on
all websites that allow it
Choose unique, non-true
40. • Even if the website is reputable,
the advertisement being displayed could
be malicious and infect your computer or
• Free things (music, movies, game cheats,
etc.) are very commonly filled with malware,
and are rarely what they say they are.
Search Engine Safety
41. Top Tips for Search Engines
Stick to clicking on sites on the
first page of results.
Be careful when clicking on
non-name recognizable sites.
masquerades as free things.
43. • Filters web traffic based off pre-configured
policies set by the administrator.
• There are both home versions and
• Home versions focus on child safety, while
corporate versions focus on employee
Web Content Filter
44. • Not only can it restrict the content that is
displayed to a certain audience, it can also
be utilized to filter malicious content and
protect the user.
Web Content Filter
45. Top Tips for Web Content Filter
Increase employee productivity by
implementing a web filter.
Curb risky user behavior and reduce
malware exposure by implementing
a web filter.
Protect children’s mobile devices and
computers from displaying inappropriate
content with a web filter.
47. • Is a protocol for secure communication over
a computer network which is widely used on
• HTTPS is typically notated by displaying a green
lock in the web address bar:
48. Top Tips for Secure Websites (HTTPS)
Before entering sensitive
information, check to see if the site
is secured by HTTPS.
Check to make sure this is a
reputable website before entering
credit card information; don’t just
depend on the HTTPS indicator.
50. Top Tips for Public Wi-Fi
Verify the Wi-Fi name with the
business owner prior to connecting.
Treat public Wi-Fi connections as
Utilize an anti-malware product to
help prevent against cyberattacks
52. Top Tips for Internet of Things (IoT)
Change default usernames and passwords
on all devices including routers.
If you do not utilize the web features,
Make sure all IoT devices, including
routers, are kept up to date with the
newest firmware (software).
56. Top Tips for 2FA and Email
Password protect or utilize fingerprint
reader to protect your 2FA app in case of
a lost device.
Do not utilize SMS if you can help it as a 2FA
method; always use an application or push.
Enable 2FA not just on email but all critical
websites and applications that allow it.
60. Top Tips for Spam Protection
Utilize a different provider or 3rd party
product if necessary.
Never click, open or respond to spam
When posting email to classified sites,
use the following format to keep spam
bots from retrieving and using your
address: john.smith (at) email.com.
62. Top Tips for Attachment Policies
Employees need training and a clear
Never open or save attachments from
an unknown sender.
Even though something looks like a file
that you do not think is malicious…
doesn’t mean it isn’t malicious.
64. Top Tips for Preventive Measures
Utilize an AV product on all devices, not just
Define a clear attachment policy coupled with a spam filter.
Implement a Web content filter to help with malicious
content, inappropriate content, and productivity issues.
Utilize unique passwords and maintain a clear password
policy. If needed, use a password manager.
Keep all internet-connected devices up to date, including
routers, IoT devices, computers, mobile devices.
First we will go through a threats overview, which is designed to bring awareness to the different security concerns surrounding specific threats.
Next Password Safety that will run through some best practices not just when creating passwords but utilizing them.
Then Web Protection, which will go through different things to know about when utilizing the internet
Then Email Protection, which will focus on email borne threats and spam.
Then finally we will finish up with preventative measures.
Keep in mind throughout this webinar I will be giving tips and best practices not just for you to utilize in the business world, but at home as well
Does this screen or others like this look familiar?
How about this? This is extremely important in the conversation around passwords due to the fact that most passwords can be simply changed or reset by knowing a few answers to questions about yourself. Most of these answers can be commonly found on users’ social media accounts. So it is very important to not just practice good password policies but also strong security questions as well.
So typically due to the complexity requirements of passwords usually users end up writing their passwords on sticky notes or in documents on their desktop.
Others freely share their passwords with other users. We see this especially in organizations that require users to clock in at the beginning and end of the day. They do not want to be late again so they call their friend who is already at work and ask them to clock in for them.
Current password policies that are often used today are not adequate at protecting users. As you can see this is what a typical user does. If a password requires 8 characters they might choose something like elephant. But if they go to another application or website and now it requires a number, they are not going to think of a brand new unique password, they are just going to tack on a 1 at the end. This continues when websites require a symbol, or capital. Users are re-using the exact same password base, which is Elephant.
This leads to current password policies that typically have users change their password every 90 days or every 6 months. Users are not increasing your businesses security by changing their password on these scheduled intervals due to them doing the above. They are simply going to the next number and next symbol on the keyboard. In fact now NIST is recommending against having users change passwords every 90 days due to the above.
So when data breaches occur passwords are sometimes extracted, it would be very easy for me to go to another website and figure out what your password is.
For example if the password that was stolen was elephant, and I went to a website that required 8 characters and 1 symbol. There are only 32 symbols on the keyboard, therefore I only need to type in elephant and then try every symbol and see if I gain access into whatever system I am trying to break into.
So a great resource to inform your users about is this website. which will check all of the databases of compromised credentials to see if your credentials are any of the ones that have been stolen. You can enter in your commonly used usernames or email address and it will let you know if there has been a breach and what was breached. If your password was stolen it is recommended to completely change your password, don’t just change the number or symbol!
So Two-Factor is a solution that can prevent poor password policies, and ultimately turns the login process into requiring a User, Password, and a One time password. This one time password typically comes from a mobile device or hard token. So it turns the password authentication into something that the user knows (such as a password) and something they have (a cell phone). If you do not have both pieces of information you are unable to log in.