SlideShare ist ein Scribd-Unternehmen logo
1 von 11
Downloaden Sie, um offline zu lesen
30%
68805 MK10680(1011) TC64945(1011)
National Life Group is a trade name of National Life Insurance Company and its affiliates. For internal use only. Not for use with the public
Don’
t be the weak link!
Cyber Security Awareness
About Cyber Security Awareness Month
National Cyber Security Awareness Month (NCSAM) began
in October of 2004. It was founded and promoted by the
Department of Homeland Security (DHS), the National Cyber
Security Alliance (NCSA), and the Multi-State Information
Sharing and Analysis Center (MS-ISAC) as a means to
promote education and awareness about the ever increasing
number of online security threats that lurk amongst us.
For more information on NCSAM, visit:
http://www.staysafeonline.org
Our Mission
For the last several years, National Life Group has put on a
Cyber Security Awareness Fair during the month of October
in an effort to raise the awareness level of our employees
on online threats and countermeasures. NLGroup’s vision
statement is To Bring Peace of Mind to Everyone We Touch.
One of the things that we, as employees, can do to commit to
this vision is to foster a strong, responsible, security-centric
culture in regards to our computer-based infrastructure.
Due to the sensitive nature of much of the data we work
with, a computer security related incident at NLGroup could
be especially devastating. Therefore, everyone should make
it their responsibility to do everything in their power to help
keep our systems secure.
NLGroup Cyber Security Awareness Fair 2011
The security of a computer network can only be as strong as
its weakest link, which can sometimes turn out to be its users.
You can engineer your network out of all of the best hardware
and software on the market, and implement the most cutting
edge security protocols around, but all it may take is one user
opening the wrong attachment to send it crumbling down.
This year’s theme for our security awareness fair is: “Don’t be
the Weak Link”. This theme is meant to emphasize the fact
that one of the most vulnerable parts of any network is the
user with a low level of security awareness.
This document will summarize several common
attacks that target the users on a network and tips
on how to avoid them.
Social Engineering
Not all of the threats out there are high-tech, and in fact
social engineering has been around long before computers.
Social engineering covers a fairly wide area of incidents, but
at a basic level it involves using certain techniques while
interacting with someone to gather information or achieve
some other desired result. These techniques could include
all manner of trickery, such as impersonating an authority
figure, blackmail, extortion, bribery, or just lying convincingly.
Someone could even gain employment with the company
and gain the trust of his peers over time! The desired
result might be access into a building or secure area, your
login credentials, or personal information. With this new
information, the criminal can now do all kinds of unsavory
things. These types of incidents can be hard to detect, as the
perpetrator will most likely have done some research ahead of
time to put on a convincing show, whether it is in person, on
the phone, or via email.
Consider this scenario:
You receive a phone call at work from a man who introduces
himself as “Jim Brown, down here in IT...”. He knows your
name, and informs you that he is about to install some
firmware on your computer remotely, and that you are going to
have to turn off your machine for ten minutes while he applies
the changes. He goes on to say that unfortunately, the update
process reverts your password back to the default password
scheme, but if you would like you could give him your current
password and user id and he would change it back for you so
you didn’t have to put in a ticket with system security.
This phone call would likely seem convincing at face value: the
caller knew your name, identified himself, and had a very clear
purpose for calling. He also spoke casually, and knew the lingo.
If you didn’t know many people in the IT team, it would be fairly
easy to be taken in. The only real tip off is the fact that he asked
for your login credentials so that he could do you a “favor” and
reset your password for you. Many unaware people may give
“Jim” their login credentials, and then turn off their computer
for ten minutes while he did whatever he wanted to on their
account. Imagine trying to explain to your manager why large
volumes of sensitive information were emailed to an outside
email address from your company email account!
The next page includes tips on how to prevent social
engineering from being effective.
Fast Facts:
Each of the threats in this document
(and many more!) involves some
element of social engineering.
The following tips can help prevent social
engineering from being effective:
• NEVER give out personal information or login credentials
belonging to you or anyone else to someone you do not
know. Verify the legitimacy of such requests (in this case
by contacting IT) before releasing any information.
• Ask questions such as why they need the information,
who they report to, etc. Even well researched and practiced
impersonators can show cracks in their story when pressed.
• Do not allow anyone you do not know personally, or those
that do not have the appropriate authorization, to follow
you into the building or a secure area.
• Report suspicious personnel loitering near your
work space.
• Report any suspicious phone calls or emails to
management and system security.
Fast Fact:
Frank William Abagnale Jr. was a
successful impersonator and was able to
masquerade as a commercial pilot, doctor, lawyer,
and teacher in various work environments. Talk about
social engineering! Abagnale was portrayed by Leonardo
DiCaprio in the 2002 movie Catch Me If You Can.
(Source: Computer Security Handbook, 5th Ed. Vol 1)
continued
Phishing and Spear-Phishing
Phishing is a specific type of attack that uses fraudulent
emails to trick people into giving out confidential information.
One of the most popular methods used involves sending out
bulk email to numerous email addresses, masquerading as an
urgent security alert from a popular bank or website such as
Bank of America, PayPal, or Facebook. These emails notify the
recipient that the website’s security has been compromised,
and that it is imperative that the user follow a link to a site to
update their security information. The provided link will lead
to a convincing webpage that will include a form asking for
personal information, passwords, IDs, and sometimes bank
account or credit card numbers to verify their identity. Once
the information is verified, the user is usually redirected to
the real webpage, completing the illusion of legitimacy. The
hapless user is now at the mercy of the people executing
the attack. This technique could even be used for the user’s
workplace login information, which would mean their
employer would also be at risk.
Spear-phishing is a more direct version of phishing. This time,
the email will appear to come from a friend, family member,
or manager. It may even contain personal references, inside
jokes, confidential information, or company signatures
gleaned from social engineering campaigns that will
make it appear legitimate. These emails will
specifically target the recipient, and the
desired result will likely be to get a
very specific set of information
from the user.
Phishing IQ Test:
If you would like to test how good you
are at detecting phishers, please take this online test.
Go to: http://www.sonicwall.com/furl/phishing/
The test will serve up actual e-mail that claims to come from
large companies; your job is to decide which are real and
which are phishing expeditions.
The next page includes tips on to help protect yourself from
phishing  spear-phishing.
Fast Fact:
An estimated
59 million phishing e-mails
are sent each day.
(Source: http://www.scmagazineus.com/
aniti-phishing-bill-working-its-way-through-
us-senate/article/107762/)
The following tips will help protect yourself
and NLGroup from becoming the victims of
a phishing or spear-phishing attack:
Don’t respond to emails requesting you confirm your user-ID
and password or other credentials, account numbers etc.
Don’t respond to unsolicited emails: If you don’t know the
sender, don’t respond. If they are offering a product or
service, remember the old adage “If it looks too good to be
true, it probably is.”
Don’t click on links in emails: Link names do not necessarily
reflect where they link to. A link that says www.google.com
can take you to any website. A better practice is to type the
address manually into your web browser.
Verify transmission of sensitive info with the sender: If you
receive an email requesting sensitive information, it never
hurts to verify the request by calling the company or individual
sending the email. Make sure you use a phone number from a
secondary source, not the one provided in the email.
Read emails carefully: Pay attention to the content of an
email. If an email is supposed to be an official announcement
or request, it should raise some suspicion if it is rife with
errors or doesn’t flow in a logical manner. If an email from a
coworker isn’t consistent with their normal writing style, take
a closer look at it.
Look into installing add-ons for your browser at home: Many
browsers offer add-ons that can help protect you while online.
This will not be necessary for your corporate issued computer.
Pay attention to alerts from IT, and utilize available resources:
If you receive an alert about a scam, don’t ignore it. There are
also resources online, such as the FBI website, where you can
find more information about online scams and attacks.
Fast Fact:
PayPal and eBay are the two
most commonly used names
in phishing emails.
(Source:http://news.cnet.com/
8301-27080_3-20004819-245.html)
continued
Scareware and Ransomware
Scareware and ransomware are classified as a type of malware
called trojans. A trojan is a program that appears to have a
legitimate and safe function, but ends up having a darker
purpose. Scareware masquerades as an antivirus, anti-
malware, or firewall program. Once installed, it will usually
wait awhile before showing its true colors. All of a sudden,
a pop-up alert will appear that says that this program has
detected some kind of virus or maybe a whole slew of them
(that probably don’t exist), but unfortunately can not remove
them unless the user registers the program. This usually
involves a monetary transaction. After that, the warnings
may or may not disappear and the program may go inactive.
At that point it is already too late, as the damage is done:
you have not only lost money in the deal, but confidential
information as well if you filled out any kind of registration
form. A common example of this type of malware is “Antivirus
20XX” (the year changes to remain current). This program
masquerades as the Windows Security Center, which it
disables. It then follows the previously mentioned model.
There was also a similar program called “MacDefender” that
circulated earlier this year targeting Apple computers.
Ransomware is similar to scareware, except instead of trying
to scare the user into registering a fake product, it uses
extortion as a tactic instead. Usually, these are targeted at
corporations rather than individual users. Once installed, the
program will encrypt some amount of data on the target’s
system. In order to get the encryption key and regain utility
of the data, the victim will have to pay money to the attacker.
This attack can be very effective, because without the use of their
data, some corporations can lose a significant amount of money
in a few hours. This being the case, many corporations will pay
the fee rather than contact the authorities, as the resulting delay
will likely mean a larger sum of money being lost.
The next page includes tips on how to avoid malware.
Fast Fact:
One international scareware ring
investigated in June, 2011 by the FBI and a
multi-national task force infected more than 1
million victims and cost over $74 million!
(Source:http://www.fbi.gov/news/pressrel/
press-releases/department-of-justice-
disrupts-international-cybercrime-rings-
distributing-scareware)
Here are a few tips for avoiding this type of malware:
• Review any software before download. If you can find
several credible reviews that back up the legitimacy of the
software, it will most likely be safe.
• If infected, don’t buy into their scare tactics. Instead,
seek assistance in removing the program, as they can
sometimes be tricky to remove safely.
• Any suspicious software or processes on your work
computer should be reported immediately to your manager
and system security.
• Purchase and install a reputable antivirus. The benefits of
this action will extend far beyond the threat of scareware.
• Do not install programs at work. Your work computer
already has antivirus protection. If you need a specific
program, put in a request with the Helpdesk.
Fast Fact:
A ransomware program infected
around 2500 users during a 5 week period
in December 2010 - January 2011, earning the
perpetrators over $30,000! The program required
the user to send a text message to a premium service
in order to unlock their computer.
(Source:http://news.softpedia.com/news/
Russian-SMS-Ransomware-Earned-Fraudsters-
30-000-in-Five-Weeks-178235.shtml)
continued
Malicious Code Distributed via Email
By now, everyone is intimately familiar with junk email
sent in bulk, AKA Spam. Most of the time, these unwanted
emails are an annoyance, advertising products or services
unsolicited by the recipient. Spam can also be used for more
nefarious purposes, such as distributing viruses and other
malware. Malicious code can be hidden in flash videos,
PDF documents, and also in MS Word or Excel documents.
Sometimes, it will be embedded content directly in the
email, instead of in an attached file. This type is extremely
dangerous, as just opening the email could infect your
computer. Usually, emails that contain malicious code, either
attached or embedded, will have an attention grabbing header
such as “LOL... Funniest Joke Ever!”, or “You’ve Gotta See
This Video!!!”. They can also have headers that seem more
personal or important, such as “Here is the document that
you requested...”. The malware that is distributed in this
way can take many different forms, none of them good.
Many will self replicate by hijacking your email account and
sending itself out to all of your contacts, which can be more
dangerous as now the “Worlds Funniest Video!!!” is coming
from a trusted contact. It should also be noted that this type
of distribution can be combined with phishing and spear-
phishing attacks for added mayhem.
This type of threat can be mitigated by a few simple things:
• Don’t open unsolicited emails like Spam. This guidance
also goes for emails coming from contacts that don’t
normally send those types of emails.
• Disable the email viewer in your email program or webmail.
This is the window that displays the contents of the email
as you scroll through your inbox. Embedded malicious code
will run if you accidentally click on the email and it opens in
the viewer.
• Don’t open attachments, unless it is something specific
that you have been expecting from a contact.
• Script blocking add-ons are available for many browsers
that can help prevent embedded code from running when
reading an email.
• Keep your software up to date. Malicious code will often
exploit flaws in software, such as Adobe Reader or Flash
Player, so keeping your software up to date can help keep
you protected.
Fast Fact:
Heidi Klum was recently ranked #1
by McAfee on its list of dangerous online celebrities,
as many spammers and malicious websites have used
her name recognition to dupe users.
(Source:http://www.mcafee.com/us/about/news/2011/
q3/20110915-02.aspx)
Online Resources
National Cyber Security Alliance and National Cyber Security Awareness Month
	 http://www.staysafeonline.org
Antivirus and Anti-Malware
	 http://www.symantec.com/norton/internet-security
	 http://us.mcafee.com/root/store.asp
	 http://www.microsoft.com/security_essentials/
	 http://www.avast.com/mac-edition
Phishing and Site Verification
	 http://antiphishing.org
	 http://www.sonicwall.com/phishing
	 http://fraud.org/tips/internet/phishing.htm
Fast Fact:
The first MS Word macro-virus, “Concept”, was
launched in 1995. It spread via an infected Word
document attached to email and was one of the most
common virus occurrences on the internet for over a
year!
(Source:http://www.softpanorama.org/Malware/Malware_
defense_history/Malware_gallery/Macro_viruses/concept.shtml)
Don’
t be the weak link!
National Life Home Office: One National Life Drive, Montpelier, Vermont 05604
Telephone: 888-279-3990 • www.nationallife.com
National Life Group®
is a trade name of National Life Insurance Company and its affiliates. Each company of the National Life Group
is solely responsible for its own financial condition and contractual obligations.

Weitere ähnliche Inhalte

Was ist angesagt?

Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks pptAryan Ragu
 
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanHow to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanControlScan, Inc.
 
Social media and Security risks
Social media and Security risksSocial media and Security risks
Social media and Security risksParakum Pathirana
 
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdfCybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdfSoo Chin Hock
 
Cyber Crime And Security
Cyber Crime And Security Cyber Crime And Security
Cyber Crime And Security ritik shukla
 
Social engineering
Social engineeringSocial engineering
Social engineeringMaulik Kotak
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awarenessMichel Bitter
 
Cyber Security Update: How to Train Your Employees to Prevent Data Breaches
Cyber Security Update: How to Train Your Employees to Prevent Data BreachesCyber Security Update: How to Train Your Employees to Prevent Data Breaches
Cyber Security Update: How to Train Your Employees to Prevent Data BreachesParsons Behle & Latimer
 
Phishing attack seminar presentation
Phishing attack seminar presentation Phishing attack seminar presentation
Phishing attack seminar presentation AniketPandit18
 
Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Jay Nagar
 
Email Security Awareness
Email Security AwarenessEmail Security Awareness
Email Security AwarenessDale Rapp
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and SecurityNoushad Hasan
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and securityAkash Dhiman
 

Was ist angesagt? (20)

Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
 
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanHow to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
 
Social media and Security risks
Social media and Security risksSocial media and Security risks
Social media and Security risks
 
PHISHING attack
PHISHING attack PHISHING attack
PHISHING attack
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdfCybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
 
Cyber Crime And Security
Cyber Crime And Security Cyber Crime And Security
Cyber Crime And Security
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Phishing and prevention
Phishing and preventionPhishing and prevention
Phishing and prevention
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
 
Cyber Security Update: How to Train Your Employees to Prevent Data Breaches
Cyber Security Update: How to Train Your Employees to Prevent Data BreachesCyber Security Update: How to Train Your Employees to Prevent Data Breaches
Cyber Security Update: How to Train Your Employees to Prevent Data Breaches
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepal
 
Phishing attack seminar presentation
Phishing attack seminar presentation Phishing attack seminar presentation
Phishing attack seminar presentation
 
Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness Cyber Security and Cyber Awareness
Cyber Security and Cyber Awareness
 
Email Security Awareness
Email Security AwarenessEmail Security Awareness
Email Security Awareness
 
Cybercrime 1
Cybercrime 1Cybercrime 1
Cybercrime 1
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and Security
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and security
 

Andere mochten auch

NCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and ResourcesNCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and ResourcesStephen Cobb
 
Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityHackerOne
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 ChallengesLeandro Bennaton
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentationBijay Bhandari
 

Andere mochten auch (7)

NCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and ResourcesNCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and Resources
 
Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In Cybersecurity
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 Challenges
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
 

Ähnlich wie National Life IT Department's Cyber Security Awareness Presentation

Cyber safety.pptx
Cyber safety.pptxCyber safety.pptx
Cyber safety.pptxAchu69
 
Train Employees to Avoid Inadvertent Cyber-Security Breaches
Train Employees to Avoid Inadvertent Cyber-Security BreachesTrain Employees to Avoid Inadvertent Cyber-Security Breaches
Train Employees to Avoid Inadvertent Cyber-Security BreachesHuman Resources & Payroll
 
Data security concepts chapter 2
Data security concepts chapter 2Data security concepts chapter 2
Data security concepts chapter 2Nickkisha Farrell
 
Module 3 social engineering-b
Module 3   social engineering-bModule 3   social engineering-b
Module 3 social engineering-bBbAOC
 
ImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyAlisa Alvich
 
The Emotional Lure of Social Engineering
The Emotional Lure of Social EngineeringThe Emotional Lure of Social Engineering
The Emotional Lure of Social EngineeringThe TNS Group
 
Respond to Student Post below.150 -250 word minCybe.docx
Respond to Student Post below.150 -250 word minCybe.docxRespond to Student Post below.150 -250 word minCybe.docx
Respond to Student Post below.150 -250 word minCybe.docxpeggyd2
 
Five habits that might be a cyber security risk
Five habits that might be a cyber security riskFive habits that might be a cyber security risk
Five habits that might be a cyber security riskK. A. M Lutfullah
 
Customer information security awareness training
Customer information security awareness trainingCustomer information security awareness training
Customer information security awareness trainingAbdalrhmanTHassan
 
A Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.comA Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.comBusiness.com
 
Edu 03 assingment
Edu 03 assingmentEdu 03 assingment
Edu 03 assingmentAswani34
 
Questions On Article On Android Security
Questions On Article On Android SecurityQuestions On Article On Android Security
Questions On Article On Android SecurityJulie Potts
 
Crimes in digital marketing..pptx
Crimes in digital marketing..pptxCrimes in digital marketing..pptx
Crimes in digital marketing..pptxRajviNikeetaRathore
 
Social Engineering: Protecting Yourself on the Campus Network
Social Engineering: Protecting Yourself on the Campus NetworkSocial Engineering: Protecting Yourself on the Campus Network
Social Engineering: Protecting Yourself on the Campus Networkthowell
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
The Major Types of Cybercrime
The Major Types of CybercrimeThe Major Types of Cybercrime
The Major Types of CybercrimeRubi Orbeta
 

Ähnlich wie National Life IT Department's Cyber Security Awareness Presentation (20)

Cyber safety.pptx
Cyber safety.pptxCyber safety.pptx
Cyber safety.pptx
 
Train Employees to Avoid Inadvertent Cyber-Security Breaches
Train Employees to Avoid Inadvertent Cyber-Security BreachesTrain Employees to Avoid Inadvertent Cyber-Security Breaches
Train Employees to Avoid Inadvertent Cyber-Security Breaches
 
Data security concepts chapter 2
Data security concepts chapter 2Data security concepts chapter 2
Data security concepts chapter 2
 
Module 3 social engineering-b
Module 3   social engineering-bModule 3   social engineering-b
Module 3 social engineering-b
 
ImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copyImageQuest_Newsletter_July_Milton copy
ImageQuest_Newsletter_July_Milton copy
 
The Emotional Lure of Social Engineering
The Emotional Lure of Social EngineeringThe Emotional Lure of Social Engineering
The Emotional Lure of Social Engineering
 
Respond to Student Post below.150 -250 word minCybe.docx
Respond to Student Post below.150 -250 word minCybe.docxRespond to Student Post below.150 -250 word minCybe.docx
Respond to Student Post below.150 -250 word minCybe.docx
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Five habits that might be a cyber security risk
Five habits that might be a cyber security riskFive habits that might be a cyber security risk
Five habits that might be a cyber security risk
 
Customer information security awareness training
Customer information security awareness trainingCustomer information security awareness training
Customer information security awareness training
 
A Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.comA Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.com
 
Edu 03 assingment
Edu 03 assingmentEdu 03 assingment
Edu 03 assingment
 
Users guide
Users guideUsers guide
Users guide
 
Building a culture of security
Building a culture of securityBuilding a culture of security
Building a culture of security
 
Questions On Article On Android Security
Questions On Article On Android SecurityQuestions On Article On Android Security
Questions On Article On Android Security
 
Amir bouker
Amir bouker Amir bouker
Amir bouker
 
Crimes in digital marketing..pptx
Crimes in digital marketing..pptxCrimes in digital marketing..pptx
Crimes in digital marketing..pptx
 
Social Engineering: Protecting Yourself on the Campus Network
Social Engineering: Protecting Yourself on the Campus NetworkSocial Engineering: Protecting Yourself on the Campus Network
Social Engineering: Protecting Yourself on the Campus Network
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about security
 
The Major Types of Cybercrime
The Major Types of CybercrimeThe Major Types of Cybercrime
The Major Types of Cybercrime
 

Mehr von Jamie Proctor-Brassard

Vermont Professional Photographer's Convention Booklet
Vermont Professional Photographer's Convention BookletVermont Professional Photographer's Convention Booklet
Vermont Professional Photographer's Convention BookletJamie Proctor-Brassard
 
Choose Your Own Adventure Books Catalog
Choose Your Own Adventure Books CatalogChoose Your Own Adventure Books Catalog
Choose Your Own Adventure Books CatalogJamie Proctor-Brassard
 
Vermont Adaptive Annual Appeal Booklet
Vermont Adaptive Annual Appeal BookletVermont Adaptive Annual Appeal Booklet
Vermont Adaptive Annual Appeal BookletJamie Proctor-Brassard
 
Vermont Adaptive Ski & Sports Calendar
Vermont Adaptive Ski & Sports CalendarVermont Adaptive Ski & Sports Calendar
Vermont Adaptive Ski & Sports CalendarJamie Proctor-Brassard
 
Vermont Adaptive Ski & Sports Brochure
Vermont Adaptive Ski & Sports BrochureVermont Adaptive Ski & Sports Brochure
Vermont Adaptive Ski & Sports BrochureJamie Proctor-Brassard
 
Vermont Adaptive Ski & Sports Magazine
Vermont Adaptive Ski & Sports MagazineVermont Adaptive Ski & Sports Magazine
Vermont Adaptive Ski & Sports MagazineJamie Proctor-Brassard
 
Vermont Professional Photographers Convention Booklet 2014
Vermont Professional Photographers Convention Booklet 2014Vermont Professional Photographers Convention Booklet 2014
Vermont Professional Photographers Convention Booklet 2014Jamie Proctor-Brassard
 
Choose Your Own Adventures "Return to the Haunted House"
Choose Your Own Adventures "Return to the Haunted House"Choose Your Own Adventures "Return to the Haunted House"
Choose Your Own Adventures "Return to the Haunted House"Jamie Proctor-Brassard
 
Beau Ties Ltd. Back to School Catalog 2013
Beau Ties Ltd. Back to School Catalog 2013Beau Ties Ltd. Back to School Catalog 2013
Beau Ties Ltd. Back to School Catalog 2013Jamie Proctor-Brassard
 

Mehr von Jamie Proctor-Brassard (14)

Vermont Professional Photographer's Convention Booklet
Vermont Professional Photographer's Convention BookletVermont Professional Photographer's Convention Booklet
Vermont Professional Photographer's Convention Booklet
 
Annual Booklet
Annual BookletAnnual Booklet
Annual Booklet
 
Choose Your Own Adventure Books Catalog
Choose Your Own Adventure Books CatalogChoose Your Own Adventure Books Catalog
Choose Your Own Adventure Books Catalog
 
Vermont Adaptive 2019 Calendar
Vermont Adaptive 2019 CalendarVermont Adaptive 2019 Calendar
Vermont Adaptive 2019 Calendar
 
Vermont Adaptive Annual Appeal Booklet
Vermont Adaptive Annual Appeal BookletVermont Adaptive Annual Appeal Booklet
Vermont Adaptive Annual Appeal Booklet
 
Vermont Adaptive New Homes Brochure
Vermont Adaptive New Homes BrochureVermont Adaptive New Homes Brochure
Vermont Adaptive New Homes Brochure
 
Vermont Adaptive Ski & Sports Calendar
Vermont Adaptive Ski & Sports CalendarVermont Adaptive Ski & Sports Calendar
Vermont Adaptive Ski & Sports Calendar
 
Vermont Adaptive Ski & Sports Brochure
Vermont Adaptive Ski & Sports BrochureVermont Adaptive Ski & Sports Brochure
Vermont Adaptive Ski & Sports Brochure
 
Vermont Adaptive Ski & Sports Magazine
Vermont Adaptive Ski & Sports MagazineVermont Adaptive Ski & Sports Magazine
Vermont Adaptive Ski & Sports Magazine
 
Beau Ties Sinatra Proposal
Beau Ties Sinatra ProposalBeau Ties Sinatra Proposal
Beau Ties Sinatra Proposal
 
Vermont Professional Photographers Convention Booklet 2014
Vermont Professional Photographers Convention Booklet 2014Vermont Professional Photographers Convention Booklet 2014
Vermont Professional Photographers Convention Booklet 2014
 
National Life University Booklet
National Life University BookletNational Life University Booklet
National Life University Booklet
 
Choose Your Own Adventures "Return to the Haunted House"
Choose Your Own Adventures "Return to the Haunted House"Choose Your Own Adventures "Return to the Haunted House"
Choose Your Own Adventures "Return to the Haunted House"
 
Beau Ties Ltd. Back to School Catalog 2013
Beau Ties Ltd. Back to School Catalog 2013Beau Ties Ltd. Back to School Catalog 2013
Beau Ties Ltd. Back to School Catalog 2013
 

Kürzlich hochgeladen

Machine learning workshop, CZU Prague 2024
Machine learning workshop, CZU Prague 2024Machine learning workshop, CZU Prague 2024
Machine learning workshop, CZU Prague 2024Gokulks007
 
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8Access Innovations, Inc.
 
Communication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxCommunication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxkb31670
 
Burning Issue presentation of Zhazgul N. , Cycle 54
Burning Issue presentation of Zhazgul N. , Cycle 54Burning Issue presentation of Zhazgul N. , Cycle 54
Burning Issue presentation of Zhazgul N. , Cycle 54ZhazgulNurdinova
 
The Real Story Of Project Manager/Scrum Master From Where It Came?!
The Real Story Of Project Manager/Scrum Master From Where It Came?!The Real Story Of Project Manager/Scrum Master From Where It Came?!
The Real Story Of Project Manager/Scrum Master From Where It Came?!Loay Mohamed Ibrahim Aly
 
Dynamics of Professional Presentationpdf
Dynamics of Professional PresentationpdfDynamics of Professional Presentationpdf
Dynamics of Professional Presentationpdfravleel42
 
Communication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxCommunication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxkb31670
 
Juan Pablo Sugiura - eCommerce Day Bolivia 2024
Juan Pablo Sugiura - eCommerce Day Bolivia 2024Juan Pablo Sugiura - eCommerce Day Bolivia 2024
Juan Pablo Sugiura - eCommerce Day Bolivia 2024eCommerce Institute
 

Kürzlich hochgeladen (8)

Machine learning workshop, CZU Prague 2024
Machine learning workshop, CZU Prague 2024Machine learning workshop, CZU Prague 2024
Machine learning workshop, CZU Prague 2024
 
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
ISO 25964-1Working Group ISO/TC 46/SC 9/WG 8
 
Communication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxCommunication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptx
 
Burning Issue presentation of Zhazgul N. , Cycle 54
Burning Issue presentation of Zhazgul N. , Cycle 54Burning Issue presentation of Zhazgul N. , Cycle 54
Burning Issue presentation of Zhazgul N. , Cycle 54
 
The Real Story Of Project Manager/Scrum Master From Where It Came?!
The Real Story Of Project Manager/Scrum Master From Where It Came?!The Real Story Of Project Manager/Scrum Master From Where It Came?!
The Real Story Of Project Manager/Scrum Master From Where It Came?!
 
Dynamics of Professional Presentationpdf
Dynamics of Professional PresentationpdfDynamics of Professional Presentationpdf
Dynamics of Professional Presentationpdf
 
Communication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptxCommunication Accommodation Theory Kaylyn Benton.pptx
Communication Accommodation Theory Kaylyn Benton.pptx
 
Juan Pablo Sugiura - eCommerce Day Bolivia 2024
Juan Pablo Sugiura - eCommerce Day Bolivia 2024Juan Pablo Sugiura - eCommerce Day Bolivia 2024
Juan Pablo Sugiura - eCommerce Day Bolivia 2024
 

National Life IT Department's Cyber Security Awareness Presentation

  • 1. 30% 68805 MK10680(1011) TC64945(1011) National Life Group is a trade name of National Life Insurance Company and its affiliates. For internal use only. Not for use with the public Don’ t be the weak link! Cyber Security Awareness
  • 2. About Cyber Security Awareness Month National Cyber Security Awareness Month (NCSAM) began in October of 2004. It was founded and promoted by the Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) as a means to promote education and awareness about the ever increasing number of online security threats that lurk amongst us. For more information on NCSAM, visit: http://www.staysafeonline.org Our Mission For the last several years, National Life Group has put on a Cyber Security Awareness Fair during the month of October in an effort to raise the awareness level of our employees on online threats and countermeasures. NLGroup’s vision statement is To Bring Peace of Mind to Everyone We Touch. One of the things that we, as employees, can do to commit to this vision is to foster a strong, responsible, security-centric culture in regards to our computer-based infrastructure. Due to the sensitive nature of much of the data we work with, a computer security related incident at NLGroup could be especially devastating. Therefore, everyone should make it their responsibility to do everything in their power to help keep our systems secure. NLGroup Cyber Security Awareness Fair 2011 The security of a computer network can only be as strong as its weakest link, which can sometimes turn out to be its users. You can engineer your network out of all of the best hardware and software on the market, and implement the most cutting edge security protocols around, but all it may take is one user opening the wrong attachment to send it crumbling down. This year’s theme for our security awareness fair is: “Don’t be the Weak Link”. This theme is meant to emphasize the fact that one of the most vulnerable parts of any network is the user with a low level of security awareness. This document will summarize several common attacks that target the users on a network and tips on how to avoid them.
  • 3. Social Engineering Not all of the threats out there are high-tech, and in fact social engineering has been around long before computers. Social engineering covers a fairly wide area of incidents, but at a basic level it involves using certain techniques while interacting with someone to gather information or achieve some other desired result. These techniques could include all manner of trickery, such as impersonating an authority figure, blackmail, extortion, bribery, or just lying convincingly. Someone could even gain employment with the company and gain the trust of his peers over time! The desired result might be access into a building or secure area, your login credentials, or personal information. With this new information, the criminal can now do all kinds of unsavory things. These types of incidents can be hard to detect, as the perpetrator will most likely have done some research ahead of time to put on a convincing show, whether it is in person, on the phone, or via email. Consider this scenario: You receive a phone call at work from a man who introduces himself as “Jim Brown, down here in IT...”. He knows your name, and informs you that he is about to install some firmware on your computer remotely, and that you are going to have to turn off your machine for ten minutes while he applies the changes. He goes on to say that unfortunately, the update process reverts your password back to the default password scheme, but if you would like you could give him your current password and user id and he would change it back for you so you didn’t have to put in a ticket with system security. This phone call would likely seem convincing at face value: the caller knew your name, identified himself, and had a very clear purpose for calling. He also spoke casually, and knew the lingo. If you didn’t know many people in the IT team, it would be fairly easy to be taken in. The only real tip off is the fact that he asked for your login credentials so that he could do you a “favor” and reset your password for you. Many unaware people may give “Jim” their login credentials, and then turn off their computer for ten minutes while he did whatever he wanted to on their account. Imagine trying to explain to your manager why large volumes of sensitive information were emailed to an outside email address from your company email account! The next page includes tips on how to prevent social engineering from being effective. Fast Facts: Each of the threats in this document (and many more!) involves some element of social engineering.
  • 4. The following tips can help prevent social engineering from being effective: • NEVER give out personal information or login credentials belonging to you or anyone else to someone you do not know. Verify the legitimacy of such requests (in this case by contacting IT) before releasing any information. • Ask questions such as why they need the information, who they report to, etc. Even well researched and practiced impersonators can show cracks in their story when pressed. • Do not allow anyone you do not know personally, or those that do not have the appropriate authorization, to follow you into the building or a secure area. • Report suspicious personnel loitering near your work space. • Report any suspicious phone calls or emails to management and system security. Fast Fact: Frank William Abagnale Jr. was a successful impersonator and was able to masquerade as a commercial pilot, doctor, lawyer, and teacher in various work environments. Talk about social engineering! Abagnale was portrayed by Leonardo DiCaprio in the 2002 movie Catch Me If You Can. (Source: Computer Security Handbook, 5th Ed. Vol 1) continued
  • 5. Phishing and Spear-Phishing Phishing is a specific type of attack that uses fraudulent emails to trick people into giving out confidential information. One of the most popular methods used involves sending out bulk email to numerous email addresses, masquerading as an urgent security alert from a popular bank or website such as Bank of America, PayPal, or Facebook. These emails notify the recipient that the website’s security has been compromised, and that it is imperative that the user follow a link to a site to update their security information. The provided link will lead to a convincing webpage that will include a form asking for personal information, passwords, IDs, and sometimes bank account or credit card numbers to verify their identity. Once the information is verified, the user is usually redirected to the real webpage, completing the illusion of legitimacy. The hapless user is now at the mercy of the people executing the attack. This technique could even be used for the user’s workplace login information, which would mean their employer would also be at risk. Spear-phishing is a more direct version of phishing. This time, the email will appear to come from a friend, family member, or manager. It may even contain personal references, inside jokes, confidential information, or company signatures gleaned from social engineering campaigns that will make it appear legitimate. These emails will specifically target the recipient, and the desired result will likely be to get a very specific set of information from the user. Phishing IQ Test: If you would like to test how good you are at detecting phishers, please take this online test. Go to: http://www.sonicwall.com/furl/phishing/ The test will serve up actual e-mail that claims to come from large companies; your job is to decide which are real and which are phishing expeditions. The next page includes tips on to help protect yourself from phishing spear-phishing. Fast Fact: An estimated 59 million phishing e-mails are sent each day. (Source: http://www.scmagazineus.com/ aniti-phishing-bill-working-its-way-through- us-senate/article/107762/)
  • 6. The following tips will help protect yourself and NLGroup from becoming the victims of a phishing or spear-phishing attack: Don’t respond to emails requesting you confirm your user-ID and password or other credentials, account numbers etc. Don’t respond to unsolicited emails: If you don’t know the sender, don’t respond. If they are offering a product or service, remember the old adage “If it looks too good to be true, it probably is.” Don’t click on links in emails: Link names do not necessarily reflect where they link to. A link that says www.google.com can take you to any website. A better practice is to type the address manually into your web browser. Verify transmission of sensitive info with the sender: If you receive an email requesting sensitive information, it never hurts to verify the request by calling the company or individual sending the email. Make sure you use a phone number from a secondary source, not the one provided in the email. Read emails carefully: Pay attention to the content of an email. If an email is supposed to be an official announcement or request, it should raise some suspicion if it is rife with errors or doesn’t flow in a logical manner. If an email from a coworker isn’t consistent with their normal writing style, take a closer look at it. Look into installing add-ons for your browser at home: Many browsers offer add-ons that can help protect you while online. This will not be necessary for your corporate issued computer. Pay attention to alerts from IT, and utilize available resources: If you receive an alert about a scam, don’t ignore it. There are also resources online, such as the FBI website, where you can find more information about online scams and attacks. Fast Fact: PayPal and eBay are the two most commonly used names in phishing emails. (Source:http://news.cnet.com/ 8301-27080_3-20004819-245.html) continued
  • 7. Scareware and Ransomware Scareware and ransomware are classified as a type of malware called trojans. A trojan is a program that appears to have a legitimate and safe function, but ends up having a darker purpose. Scareware masquerades as an antivirus, anti- malware, or firewall program. Once installed, it will usually wait awhile before showing its true colors. All of a sudden, a pop-up alert will appear that says that this program has detected some kind of virus or maybe a whole slew of them (that probably don’t exist), but unfortunately can not remove them unless the user registers the program. This usually involves a monetary transaction. After that, the warnings may or may not disappear and the program may go inactive. At that point it is already too late, as the damage is done: you have not only lost money in the deal, but confidential information as well if you filled out any kind of registration form. A common example of this type of malware is “Antivirus 20XX” (the year changes to remain current). This program masquerades as the Windows Security Center, which it disables. It then follows the previously mentioned model. There was also a similar program called “MacDefender” that circulated earlier this year targeting Apple computers. Ransomware is similar to scareware, except instead of trying to scare the user into registering a fake product, it uses extortion as a tactic instead. Usually, these are targeted at corporations rather than individual users. Once installed, the program will encrypt some amount of data on the target’s system. In order to get the encryption key and regain utility of the data, the victim will have to pay money to the attacker. This attack can be very effective, because without the use of their data, some corporations can lose a significant amount of money in a few hours. This being the case, many corporations will pay the fee rather than contact the authorities, as the resulting delay will likely mean a larger sum of money being lost. The next page includes tips on how to avoid malware. Fast Fact: One international scareware ring investigated in June, 2011 by the FBI and a multi-national task force infected more than 1 million victims and cost over $74 million! (Source:http://www.fbi.gov/news/pressrel/ press-releases/department-of-justice- disrupts-international-cybercrime-rings- distributing-scareware)
  • 8. Here are a few tips for avoiding this type of malware: • Review any software before download. If you can find several credible reviews that back up the legitimacy of the software, it will most likely be safe. • If infected, don’t buy into their scare tactics. Instead, seek assistance in removing the program, as they can sometimes be tricky to remove safely. • Any suspicious software or processes on your work computer should be reported immediately to your manager and system security. • Purchase and install a reputable antivirus. The benefits of this action will extend far beyond the threat of scareware. • Do not install programs at work. Your work computer already has antivirus protection. If you need a specific program, put in a request with the Helpdesk. Fast Fact: A ransomware program infected around 2500 users during a 5 week period in December 2010 - January 2011, earning the perpetrators over $30,000! The program required the user to send a text message to a premium service in order to unlock their computer. (Source:http://news.softpedia.com/news/ Russian-SMS-Ransomware-Earned-Fraudsters- 30-000-in-Five-Weeks-178235.shtml) continued
  • 9. Malicious Code Distributed via Email By now, everyone is intimately familiar with junk email sent in bulk, AKA Spam. Most of the time, these unwanted emails are an annoyance, advertising products or services unsolicited by the recipient. Spam can also be used for more nefarious purposes, such as distributing viruses and other malware. Malicious code can be hidden in flash videos, PDF documents, and also in MS Word or Excel documents. Sometimes, it will be embedded content directly in the email, instead of in an attached file. This type is extremely dangerous, as just opening the email could infect your computer. Usually, emails that contain malicious code, either attached or embedded, will have an attention grabbing header such as “LOL... Funniest Joke Ever!”, or “You’ve Gotta See This Video!!!”. They can also have headers that seem more personal or important, such as “Here is the document that you requested...”. The malware that is distributed in this way can take many different forms, none of them good. Many will self replicate by hijacking your email account and sending itself out to all of your contacts, which can be more dangerous as now the “Worlds Funniest Video!!!” is coming from a trusted contact. It should also be noted that this type of distribution can be combined with phishing and spear- phishing attacks for added mayhem. This type of threat can be mitigated by a few simple things: • Don’t open unsolicited emails like Spam. This guidance also goes for emails coming from contacts that don’t normally send those types of emails. • Disable the email viewer in your email program or webmail. This is the window that displays the contents of the email as you scroll through your inbox. Embedded malicious code will run if you accidentally click on the email and it opens in the viewer. • Don’t open attachments, unless it is something specific that you have been expecting from a contact. • Script blocking add-ons are available for many browsers that can help prevent embedded code from running when reading an email. • Keep your software up to date. Malicious code will often exploit flaws in software, such as Adobe Reader or Flash Player, so keeping your software up to date can help keep you protected. Fast Fact: Heidi Klum was recently ranked #1 by McAfee on its list of dangerous online celebrities, as many spammers and malicious websites have used her name recognition to dupe users. (Source:http://www.mcafee.com/us/about/news/2011/ q3/20110915-02.aspx)
  • 10. Online Resources National Cyber Security Alliance and National Cyber Security Awareness Month http://www.staysafeonline.org Antivirus and Anti-Malware http://www.symantec.com/norton/internet-security http://us.mcafee.com/root/store.asp http://www.microsoft.com/security_essentials/ http://www.avast.com/mac-edition Phishing and Site Verification http://antiphishing.org http://www.sonicwall.com/phishing http://fraud.org/tips/internet/phishing.htm Fast Fact: The first MS Word macro-virus, “Concept”, was launched in 1995. It spread via an infected Word document attached to email and was one of the most common virus occurrences on the internet for over a year! (Source:http://www.softpanorama.org/Malware/Malware_ defense_history/Malware_gallery/Macro_viruses/concept.shtml)
  • 11. Don’ t be the weak link! National Life Home Office: One National Life Drive, Montpelier, Vermont 05604 Telephone: 888-279-3990 • www.nationallife.com National Life Group® is a trade name of National Life Insurance Company and its affiliates. Each company of the National Life Group is solely responsible for its own financial condition and contractual obligations.