6. You Are the First Line of Defense
In survey after survey, users feel that security is
someone else’s job, not theirs.
7.
8. Someone invites you to download
important files.
Malware hides among these files.
This tactic slips innocuous files into
your system…
...In order to deliver malicious
payloads later.
How Malware Gets Inside
9. Why People Are the Weak Link
+ For many employees, clicking on attachments and
searching the Internet is part of their job.
+ Phishing attacks have become very convincing.
+ How do you maintain the appropriate level of
skepticism and get your work done on time?
11. Don’t Trust Unknown Files
Best Practices:
● Do not download files.
● Do not click on email
attachments.
● Don’t follow unsolicited
web links in emails.
● Don’t collaborate on
Google docs from people
you don’t know.
If you don’t have a tool for
secure file sharing, get one!
12. Patch Your S#!T
This doesn’t apply only to server admins.
● Automate patching where possible.
○ Restart your PC/laptop!
● If not automated, run your updates.
○ Especially anti-malware apps
● Include your mobile devices, OS,
and apps.
DON’T depend on after-the-fact breach
identification!
13. Patch Your S#!T
"...Attackers show no sign of discrimination against elderly
vulnerabilities. A full 90% of organizations recorded exploits
for vulnerabilities that were at least three years old."
15. How Not to Pay Ransomware
You don’t have to pay if you have
your data backed up!
● Syncing solutions are not
backups.
● Backups must be:
○ Regular– if they don’t happen
they aren’t any good
○ Frequent– you lose data
since the last backup
○ Offline– they are only safe if
they can’t be reached
electronically
16. Backups Made Easy
There are lots of good backup
tools and SaaS options.
+ I use Cobian on Windows.
17. Ransomware:
How Not to Pay It
It is always better to prevent than
to recover.
● Update AntiVirus on all devices
● Keep OS and Browser updated
● Use pop-up blocker
● Don’t open attachments from
unsolicited emails
● Use attachment encryption to
avoid tampering
● Strong password practice
18. Passwords for Smart People
Use high-entropy passwords
○ Combination of words,
numbers, symbols, and both
upper- and lower-case letters
○ Or very long - 12 to 15 chars
min - is even better
That are hard to guess/generate
○ No info related to you
○ No dictionary words
Unique to each site/application
○ Great password useless if
their DB is hacked
20. Use a Password Manager
● Remember only 1 password
● Generate random, strong
passwords
● Easily change passwords
● Many have easy auto-fill features
● Use across multiple devices
● Multi-factor authentication
options
● Security review of your
passwords
Passwords for Smart People
21. Two-Factor Authentication
Key principle:
● Something you Know
● Something you Have/Are
Things you Have/Are:
● Phone - Google Authenticator,
LastPass Authenticator, etc.
● Hardware token - e.g. Yubikey
● Fingerprint scanner
23. Mobile Security
Use the same precautions on
mobile devices as you would on a
computer:
● Good Password Practice (PW
Manager mobile apps)
● Lock device, require
authentication!
● 2FA (Google Authenticator,
LastPass Authenticator,etc.)
● Use a VPN (yes, for a phone)
● Use a lock-down tool like Prey
24. Lock Your Mobile Device!
8% of U.S. users and 14% of U.K. users lack a lock
screen password on their mobile devices.
25. Mobile Password
Protection
Lock your mobile device!
“8 percent of U.S. users and 14
percent of U.K. users lack a
lock screen password on their
mobile devices”
26. Mobile Password
Protection
Using a Password Manager
on Mobile
● Tedious - but getting
easier
● LastPass announces
Auto-Fill for Android Oreo
same day as Oreo is
announced
27. Mobile Security
Mobile devices are more likely to
be lost, need to be able to:
● Locate them if possible, if not
● Shut them down and
● Secure the data
Example on right:
Preyproject.com