Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Information Security Awareness Training
Ähnlich wie Information Security Awareness Training (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Information Security Awareness Training
- 1. Information Security Liaison Awareness Training Kelley Bogart, CISSP Senior Information Security Specialist University Information Security Office
- 2. What is Information Security? Program Process (not a Project) Never 100% Risk Management Improve Security Posture Changing Security Landscape Threats (motives) Countermeasures
- 3. Goal of Information Security To ensure the confidentiality, integrity and Protected Confidential availability Information Information (CIA) of critical & systems and Critical Systems confidential information
- 4. CIA Triad transmission To ensure To ensure the dis e rag protection accuracy and po sto s against completeness of al unauthorized information to access to or use protect university of confidential business information processes To ensure that information and vital services are assessible for use when required
- 5. Information Security Domains 1. Access Control 2. Application Security 3. Business Continuity and Disaster Recovery Planning 4. Cryptography 5. Information Security and Risk Management 6. Legal, Regulations, Compliance and Investigations 7. Operations Security 8. Physical (Environmental) Security 9. Security Architecture and Design 10. Telecommunications and Network Security
- 6. 90/10 Rule 90% People Process Technology 10%
- 7. What is Security Awareness? Security awareness is the knowledge, skill and attitude an individual possesses regarding the protection of information assets. Being Security Aware means you understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse your account, computer or the data stored on your computer. Awareness of the risks and available safeguards is the first line of defense for the security of information, systems and networks.
- 8. Security Awareness Includes: Information about how to Protect Detect React Knowledge, Skill and Attitude The What The How The Why Include WIIFM What’s in it for me? Culture Change
- 9. State of the Internet
- 10. Defense in Depth Anti-Virus Network Anti-Spyware Host Encrypted Session Controls Communication Application Limit Use of “Privileged” Strong Passwords Accounts OS and App Physical Patches Security
- 11. Account Access Controls Passwords Strong Not Shared Storage Accounts Limit use of Privileged Accounts Session Controls Password protected screensaver Ctrl-Alt Delete (enter) or Windows L
- 12. Wireless – On Campus Use only UAWifi (not public) Security (WPA2 & PEAP) No Rate or Port limitation http://uawifi.arizona.edu
- 13. Use of Other Wireless Home Change default admin username and password Configure to use encryption (avoid WEP, use WPA or WPA2) Do not Broadcast SSID Ask your computer savvy friend to help you configure your home wireless to use encryption Wireless Security Page (on Computer security resource hand out) Other Airports, Hotels, Conferences “Free” WiFi Hotspots
- 14. Surf Safely You know there are bad parts of town that you don’t go to The Internet is the same way – be wary!
- 15. Surf “safer” w/ SiteAdvisor http://www.siteadvisor.com/
- 19. Questions?
Hinweis der Redaktion
- Controls can be administrative, technical or physical
- More on the goal of Information Security. Talk about the CIA Triad
- Technology is only part of information security…..people and policy are just as (if not more) important than the technology itself. People at all levels……This includes: the IT people responsible for implementing, configuring, maintaining and monitoring the technology (do they have the required knowledge and understanding) the people in charge of policy and compliance. and lastly the end user. Personal computers comprise a large percentage of those 1.3 billion connected devices and have become an increasingly popular target for the bad guys. If you own, use or do business with someone that uses a computer you are the last layer of defense against the rapidly growing computer security threats in cyber space. The only way to ensure protection of your computer and/or sensitive/confidential or regulatory protected data is to take responsibility by understanding the threats as well as the layers to defend against That technology alone cannot keep us secure. People are the last layer of defense. Security is Everyone's responsibility! Sec-U-R-IT-y………You Are It!
- Trojans – software downloads - Kaaza Viruses – Emails Zombies or Botnets Phishing (Identity Theft) Spyware Most incidents are unintentional and can be avoided.
- Kelley: According to Internetworldstats.com, there are slightly over 1.3 billion internet users worldwide. Approx. 19% (18.9) or 237 million from North America that means the other 81% are from the rest of the world. Once connected to the internet your computer is accessible to those users. Car analogy: private driveway or road versus main highway. The 1950s American bank robber Willie Sutton was asked why he robbed banks. He said he robbed banks because, “ That’s where the money is.” Today it’s in Cyberspace. Also talk Physical crime (stealing a car) is one to one relationship. Cybercrime is one to a billion. B esides the one to billion ration, the criminal can be anonymous and located anywhere. It’s not about you, it’s about gaining access to your system to collect your personal information, or use your computer to launch attacks or simple to use your hard drive to store pirated movies and music files. A compromised computer provides access to all accounts, keystrokes, and data. Account and keystroke information can be used to access other resources Operational difficulties Email and documents Financial transactions Identity theft Criminal use of computer
- Defense in Depth or Layers of Defense Equate this to home security- My house ( front wall with a gate, security iron on windows and doors, a large dog, 2 locks on door Versus My neighbor (No wall or gates in front, No security Iron and oh yeah and let’s not forget their Chihuahua) Which house would a thief be more likely to break into? If you have some (ideally all) of these measures in place (personal firewall, anti-virus, up to date software, strong passwords as well as education in now knowing that you really can’t trust everything you get via email) versus someone that does not have security practices, who is more likely to have their computer compromised? It’s the same as my house analogy, it’s not that they absolutely can’t get in it will just take more time and effort. Anti-Virus Installed, Running and Updated regularly Sitelicensed Anti-Virus (Sophos) free for faculty, staff and students Can only have one Anti-Virus application installed if you already have an anti-virus regardless even if it is not up to date Anti-Spyware (spyware use to be use for tracking browsing habits, today spyware can be much more malicious in intent. Keyloggers are the lates type of spyware, a keylogger when downloaded on your computer captures everything Several free versions listed on computer security resources handout Unlike anti-virus, you can and should consider having at least two. The first time you run it, it is not uncommon to find 200 – 300 instances. Many of which are cookies. Physical Security OS and Application Patches Auto Updates Session Controls Limited Use of Privileged accounts Encrypted Communications Strong Passwords I will talk in more detail on the next several slides about the last 4 elements as I believe these are currently the areas of greatest exposure to end users. This is because even if you have the others in place (the AV, anti-spyware, current OS patches,etc.) the lack of these last 4 safeguards can and will circumvent those. Also because ultimately the data is where the money is for cybercriminals.
- Passwords…..if I could get you to think differently about one thing today it would be to have a better understanding as to the importance of creating (AND NOT SHARING) a strong password. A password is essentially the last layer of defense to your computer and personal information. You can have every other safeguard in place, if someone gets your password they are now able to access the information. Best example for students is sharing their Netid with a “friend” or “significant other” and sometime after that this relationship ends and now that person can access anything of yours with your netid and password. I have had multiple reports of students having their class canceled by these “friends” that are no longer “friends”. Do not log on as administrator on a daily basis. That is only needed when you need or want to install or update current software. If you log on with these privileges all the time that means when you visit a malicious website with malicious intent the bad guy can just as easily install malicious software. Lock your computer if you are going to be away from it so that anyone that wonders by cannot gain access to your computer and information.
- WPA2 – Wi-Fi Protected Access PEAP - Protected Extensible Authentication Protocol , Protected EAP , or simply PEAP (pronounced "peep" ) Guest requires UA sponsorship (not bandwidth or port limited also not secure) Public (bandwidth and port limited also not secure)
- If you have a wireless router set up at home you need to make sure that it is configured securely Airports, Hotels, Conferences Use of Unsecured Wireless “Hot Spots Limit what you do when connected Do not access anything sensitive unless secure (https instead of http) Use UA’s sitelicensed VPN client to connect to University Systems and Services