This was presented during the Business Knowledge Sharing Session. In attendance were all the staff including the executives. An overview of the Information System Security was discussed to enable the staff have insight into the three core objectives of Information System Security. Largely, all the popular techniques employed by the adversary for social engineering attack were discussed in detail.

1. Information Security Training
User Awareness and Practices
Ismail Oduoye CISA,CISSP
September 2019

2. Learning Objectives
01
02
03
IT Security Fundamental
Provide background knowledge
on Information Security
Introduction
Need for IT Security Awareness
Training
UC IT Risk Road Map
What we have achieved
04
05
06
Cyber-attack
Discussion of various cyber-
attack methods
Social Engineering
Discussion of the various types
of Social Engineering Attack.
IT Security Tips
General tips for prevention of
Cyber-attack.

3. Introduction
1 2
5
3
4
What Are User Personal
Responsibilities?
 Report security violations
 Develop “end-of-day” security procedures
 To be discussed extensively under IT Security Tips
What Is IT Security
Awareness?
Who Is Responsible for
IT Security?
Who Must
Have
Security
Awareness
Training?
Everyone who uses a computer needs to
know how to keep his or her computer
and data secure to ensure a safe working
environment.
 Without training, employees could be
making serious mistakes, especially in
the realm of security.
 Security training allows organizations to
influence behavior, mitigate risk, and
ensure compliance.
 Develop a security-focused culture
 Protect Asset
All employees who use
information technology or have
access to areas where information
resources reside.
It means understanding various information
technology threats that exist in one's computing
environment and taking reasonable steps to
guard against them.
Importance of Information
Security Awareness

4. IT Security Fundamental
Definition of Terms
Core Objectives of
Information
Security(CIA)
What is Information Security
 Vulnerability
 Threat
 Threat Agent
 IT Risk
 IT Risk Management
 Information security is the
practice of protecting
information by mitigating
information risks. It is part
of information risk
management.
 It is not something you
buy, it is something you
do. It’s a process not a
product.
 Confidentiality
 Integrity
 Availability

5. IT Risk Road Map
Implementation of Controls
 4th Generation Firewall
 Macfee Antivrus
 Macfee DLP
 Macfee DAM
 FIM-CIM Track
 2FA on email platform
 Cut edge Backup
infrastructure
 Improved change control
management
.
Continous Monitoring and
Review
 Daily review and monitoring
 IT project/application security
assessment .
 Investigation of IT incidents
 Internal VAPT
 External VAPT
Manage Security
 Establishment of SOC.
 Reporting.
 Performance measurement.
 Incident prediction.
 IT risk advisory
IT Risk Management
 Identification of assets and vulnerabilities across
the network
 Information System and Security Policy
framework
 Improved IT Governance

6. Cyber Criminals
Cracker:
Computer-savvy
programmer creates
attack software
Script Kiddies:
Unsophisticated
computer users who
know how to
execute programs

7. Leading Cyber Threats
 Viruses
 Worms
 Ransomware
 Trojan Horses / Logic Bombs
 Social Engineering
 Rootkits
 Botnets / Zombies

8. What is an Internet Minute?

9. Social Engineering Attack
In the context of information security, Social Engineering refers to psychological
manipulation of people into performing actions or divulging confidential information.
Non-technical method of
intrusion that relies on:
• Human interaction
• Trickery
• Manipulation
Exploiting the weakest
link in the chain
Phone Call:
This is John, the System
Administrator. What is
your password?

10. Social Engineering

11. Types of Social Engineering Attack
Social Engineering is a game of cat and mouse
Physical
 Impersonation
Pretending to be someone you are not.
 Dumpster Diving
Digging through trash to obtain information.
 Tailgating and Shoulder Surfing
Waiting for an action to take place and then
capitalizes on the result. E.g. Security door
Digital/Logical
 Spam
 Phishing
 SMiShing
 Spear Phishing
 Whaling(CEO Fraud)
 Hoaxes
 Vishing
 Typo squatting/Domain phishing
 Watering Hole
 Baiting
 Social Media Mining

12. Social Engineering

13. Social Engineering

14. Social Engineering

15. Social Engineering

16. Social Engineering

17. Social Engineering

18. Tips to Prevent Social Engineering and other Cyber-attack
1. Be mindful of site you visit
and surf on the internet,
especially while on UC’s
network.
2. Think twice before you
input your password on any
website without https.
3.Consider the source.
4. Check the sender’s email
address before taking any
action.
5.Avoid download of
installable/executable files, movies,
pons etc.
6.Do not click any suspicious link.
8.Do not click any
suspicious link.
9.Password security is
key.
10.Do not share your
password.
12.Be cautious of free Wi-Fi
13.Do not use official email for
personal activities online.
11.The Executives and
other staff should be wary
of spear phishing and the
whaling attacks.
14.Do not assume, confirmation is
necessary.
15.Trust but verify

19. Tips to Prevent Social Engineering and other Cyber-attack
17.Secure all devices and
social media profiles i.e.
use of security PIN for
Phone and 2 steps
verifications on WhatsApp
and Telegram.
18.Improve on your personal privacy,
reduce personal and official information
you posted on social media.
19.Pay attention to the weekly
Information security awareness email
from IT Risk and Control. Education is
key.
16.Be wary of personable
callers
21.IT Security is the business
of all staff.
20. Do not be the weak
link

20. Questions

21. Thank you