This was presented during the Business Knowledge Sharing Session. In attendance were all the staff including the executives. An overview of the Information System Security was discussed to enable the staff have insight into the three core objectives of Information System Security. Largely, all the popular techniques employed by the adversary for social engineering attack were discussed in detail.
2. Learning Objectives
01
02
03
IT Security Fundamental
Provide background knowledge
on Information Security
Introduction
Need for IT Security Awareness
Training
UC IT Risk Road Map
What we have achieved
04
05
06
Cyber-attack
Discussion of various cyber-
attack methods
Social Engineering
Discussion of the various types
of Social Engineering Attack.
IT Security Tips
General tips for prevention of
Cyber-attack.
3. Introduction
1 2
5
3
4
What Are User Personal
Responsibilities?
Report security violations
Develop “end-of-day” security procedures
To be discussed extensively under IT Security Tips
What Is IT Security
Awareness?
Who Is Responsible for
IT Security?
Who Must
Have
Security
Awareness
Training?
Everyone who uses a computer needs to
know how to keep his or her computer
and data secure to ensure a safe working
environment.
Without training, employees could be
making serious mistakes, especially in
the realm of security.
Security training allows organizations to
influence behavior, mitigate risk, and
ensure compliance.
Develop a security-focused culture
Protect Asset
All employees who use
information technology or have
access to areas where information
resources reside.
It means understanding various information
technology threats that exist in one's computing
environment and taking reasonable steps to
guard against them.
Importance of Information
Security Awareness
4. IT Security Fundamental
Definition of Terms
Core Objectives of
Information
Security(CIA)
What is Information Security
Vulnerability
Threat
Threat Agent
IT Risk
IT Risk Management
Information security is the
practice of protecting
information by mitigating
information risks. It is part
of information risk
management.
It is not something you
buy, it is something you
do. It’s a process not a
product.
Confidentiality
Integrity
Availability
5. IT Risk Road Map
Implementation of Controls
4th Generation Firewall
Macfee Antivrus
Macfee DLP
Macfee DAM
FIM-CIM Track
2FA on email platform
Cut edge Backup
infrastructure
Improved change control
management
.
Continous Monitoring and
Review
Daily review and monitoring
IT project/application security
assessment .
Investigation of IT incidents
Internal VAPT
External VAPT
Manage Security
Establishment of SOC.
Reporting.
Performance measurement.
Incident prediction.
IT risk advisory
IT Risk Management
Identification of assets and vulnerabilities across
the network
Information System and Security Policy
framework
Improved IT Governance
9. Social Engineering Attack
In the context of information security, Social Engineering refers to psychological
manipulation of people into performing actions or divulging confidential information.
Non-technical method of
intrusion that relies on:
• Human interaction
• Trickery
• Manipulation
Exploiting the weakest
link in the chain
Phone Call:
This is John, the System
Administrator. What is
your password?
11. Types of Social Engineering Attack
Social Engineering is a game of cat and mouse
Physical
Impersonation
Pretending to be someone you are not.
Dumpster Diving
Digging through trash to obtain information.
Tailgating and Shoulder Surfing
Waiting for an action to take place and then
capitalizes on the result. E.g. Security door
Digital/Logical
Spam
Phishing
SMiShing
Spear Phishing
Whaling(CEO Fraud)
Hoaxes
Vishing
Typo squatting/Domain phishing
Watering Hole
Baiting
Social Media Mining
18. Tips to Prevent Social Engineering and other Cyber-attack
1. Be mindful of site you visit
and surf on the internet,
especially while on UC’s
network.
2. Think twice before you
input your password on any
website without https.
3.Consider the source.
4. Check the sender’s email
address before taking any
action.
5.Avoid download of
installable/executable files, movies,
pons etc.
6.Do not click any suspicious link.
8.Do not click any
suspicious link.
9.Password security is
key.
10.Do not share your
password.
12.Be cautious of free Wi-Fi
13.Do not use official email for
personal activities online.
11.The Executives and
other staff should be wary
of spear phishing and the
whaling attacks.
14.Do not assume, confirmation is
necessary.
15.Trust but verify
19. Tips to Prevent Social Engineering and other Cyber-attack
17.Secure all devices and
social media profiles i.e.
use of security PIN for
Phone and 2 steps
verifications on WhatsApp
and Telegram.
18.Improve on your personal privacy,
reduce personal and official information
you posted on social media.
19.Pay attention to the weekly
Information security awareness email
from IT Risk and Control. Education is
key.
16.Be wary of personable
callers
21.IT Security is the business
of all staff.
20. Do not be the weak
link