2. Outline
Welcome
Introduction to Security Awareness Program
Password Usage and Management
Virus Protection
E-mail
Internet Usage
Shoulder Surfing
Social Engineering
Access Control
Personal Devices
Summary
References
2
3. Welcome To Security Awareness
Training
Why are we here?
We are here because security Awareness is becoming a
bigger issue every day that passes.
What will we be discussing? In a few words, we will be
discussing how to be more security minded.
A little about myself
I have been in the IT field for 15+ years now and now
am a security Analyst and trainer.
3
4. Introduction to Security Awareness
Program
“Security awareness training is a formal process for educating
employees about computer security” (Rouse, M. (2016)).
A good security awareness program should educate employees
about corporate policies and procedures for working with
information technology (IT).
Employees should receive information about who to contact if
they discover a security threat and be taught that data as a
valuable corporate asset.
Regular training is particularly necessary in organizations with
high turnover rates and those that rely heavily on contract or
temporary staff.
Confirming how well the awareness program is working can be
difficult. The most common metric looks for a downward trend
in the number of incidents over time. 4
5. Password Usage and Management
Passwords must be at least 8 characters long
Passwords must include one Capital, lower case letter,
a number and a special character, example *%$#^&@!
Passwords may not be dictionary words or Names
Passwords expire after 150 days. You will be given
notice that they are expiring
Cannot be repeated
5
6. Virus Protection
IT Department will scan all computers and servers on
Wednesday Nights
Must stay installed on all computers
Will Scan E-mails
6
7. E-mail
DO NOT OPEN suspicious e-mails
If you have doubts about opening up attachment, then
immediately delete then empty deleted folder.
Contact IT with any questions
Leads to attacks like shoulder surfing and social
engineering
7
8. What is Shoulder Surfing?
According to Searchsecurity.techtarget.com, “Shoulder surfing
is using direct observation techniques, such as looking over
someone's shoulder, to get information. Shoulder surfing is an
effective way to get information in crowded places because it's
relatively easy to stand next to someone and watch as they fill
out a form, enter a PIN number at an ATM machine, or use a
calling card at a public pay phone. Shoulder surfing can also be
done long distance with the aid of binoculars or other vision-
enhancing devices. To prevent shoulder surfing, experts
recommend that you shield paperwork or your keypad from
view by using your body or cupping your hand”
(searchsecurity.techtarget.com. (2016)).
Shoulder surfing, we all have done this more than once in our
lives. People tend to stand over you when you enter your
password or other data.
8
9. What is Shoulder Surfing?
Techopedia explains Shoulder surfing as: “Because of our data
and identity driven society, personal security keys, like
username and password combinations, are critical personal and
private data safeguards. Unfortunately, technical savvy is not
always required for hackers to gain information. The most
commonly stolen data through shoulder surfing includes credit
card numbers, personal identification numbers (PIN), important
personal information (like middle name and birth date used in
password recovery) and usernames/passwords. This type of
information may be used to login to accounts and steal other
information, such as money, in the case of bank accounts”
(www.techopedia.com. (2016).
9
10. What is Social Engineering?
“Social engineering is an attack vector that relies
heavily on human interaction and often involves
tricking people into breaking normal security
procedures” (Rouse, M. (2016)).
Depends on you being helpful with information. Do
not share information with those who do not need to
know it.
10
11. Popular types of social
engineering attacks include:
Baiting: Baiting is when an attacker leaves a malware-infected physical device, such
as an USB flash drive in a place it is sure to be found. The finder then picks up the
device and loads it onto his or her computer, unintentionally installing the malware.
Phishing: Phishing is when a malicious party sends a fraudulent email disguised as
a legitimate email, often purporting to be from a trusted source. The message is
meant to trick the recipient into sharing personal or financial information or
clicking on a link that installs malware.
Spear phishing: Spear phishing is like phishing, but tailored for a specific
individual or organization.
Pretexting: Pretexting is when one party lies to another to gain access to privileged
data. For example, a pretexting scam could involve an attacker who pretends to need
personal or financial data in order to confirm the identity of the recipient.
Scareware: Scareware involves tricking the victim into thinking his computer is
infected with malware or has inadvertently downloaded illegal content. The
attacker then offers the victim a solution that will fix the bogus problem; in reality,
the victim is simply tricked into downloading and installing the attacker's malware.
11
12. Internet Usage
For Work usage only
IT department will be monitoring usage
NO Social Media Sites allowed
Personal usage will be during lunch only
No music or video streaming will be allowed
12
13. Access Control
All employees will be given an access card to enter the
facilities.
Must always check in at security sites
This must be with you at all times.
Some areas will require a passcode
Must report it stolen or missing immediately
Access control to data will be determined by your job
functions.
13
14. Personal Devices
Cell Phones
Laptops
Tablets
None of these will be allowed to connect to the Wi-Fi.
Usage is prohibited unless on breaks or lunch
Must get permission from Management before
Company E-mail is attached to device
14
15. Summary
What is a SAP? Security Awareness Program
Why is it necessary? To keep all employees informed
to security
When will we receive training? At least once a year
Where will the training be held? Front Conference
Room
Remember: If you have a bad feeling about
something, then listen to that feeling and seek
assistance from IT
15
16. References
Searchsecurity.techtarget.com. (2016). Shoulder Surfing.
Retrieved
from http://searchsecurity.techtarget.com/definition/shoulde
r-surfing
www.techopedia.com. (2016). Shoulder Surfing. Retrieved
from https://www.techopedia.com/definition/4103/shoulder-
surfing
Rouse, M. (2016). Social Engineering. Retrieved from
http://searchsecurity.techtarget.com/definition/social-
engineering
Rouse, M. (2016). Security Awareness Training. Retrieved
from
http://searchsecurity.techtarget.com/definition/security- 16