Bank Information Security Awareness Training

1
Bank Information Security Awareness Training

Presented by Jim Kisch jim_at_bankersuniverse.com
2
Introduction

• What is Security Awareness Training?
• Whats our role?
• Please take notes and ask questions
• I will introduce you to the most common threats
• Importance of customer privacy
• Identity theft
• IT exams
• Reputation risk

3
Overview

• The Threats
• Passwords
• Viruses
• Email Attachments
• Flash drives / CD ROMS
• Social engineering
• Workstation Log off / Shut down
• Local drives and floppies
• Acceptable Use
• Physical Security

4
Threats

• HACKER MOTIVATION SHIFT
• Pre-2005 Bragging Rights and Notoriety
• Hackers One Man Band
• 2005 Present Financial Gain

5
Threats

• Identity theft
• Spammers
• Phishing is rampant
• Automated nature
• Virtually cost risk free
• From single-person to multi-country

6
Common Threats

• Web Spoofing
• Botnet Zombies
• Skimming
• Script kiddies
• Firewall security
• Document forgery made-easy
• Caller ID fraud

7
ATM Skimmer
8
Common violations

• The following are common information security
  violations
• sending confidential information via conventional
  email
• writing passwords on post-its and notepads
• sharing usernames and passwords with co-workers
• failure to disable access rights after employee
  is terminated
• Poorly configured wireless devices

9
Passwords

• Passwords to access the network, applications,
  core banking and resources are confidential and
  should not be disclosed to anyone
• Please do not share your password with other
  employees or temporary staff
• Please do not divulge your password or any other
  information about the banks computers or the
  network to any phone or other verbal/written
  inquiry
• Should not be a word (even slang)

10
Passwords

• Not based on personal information such as names
  of family, etc.
• The minimum password length
• Password complexity
• A password cannot be reused
• Please contact Information Security Officer if
  you believe your password has been compromised

11
Password cracking
12
Viruses

• What is a virus?
• Worms
• Trojan
• Spyware
• botnets
• Never disable anti-virus software
• Downloading, importing or transferring external
  screen savers, desktop themes, and wallpaper to
  your computer can expose our network to viruses
  and are prohibited.
• What if I get an alert?

13
Email Attachments

• Email attachments are notorious for transferring
  viruses to our network.
• We urge all of you who receive email with
  attachments to not open anything that seems
  peculiar and to inform Information Security
  Officer immediately if you have any doubt about
  the legitimacy of email you are receiving.

14
Media risks

• Beware of flash drives and demo CD ROMs
• Must be a very compelling business reason to
  install
• Pre-authorized scheduled software upgrades is an
  exception to this policy and can be performed by
  authorized banking personnel
• Backup media
• Unauthorized Webex
• Active X

15
Social Engineering

• Hackers take advantage of our trusting nature
• A little information goes a long way
• Minnesota nice
• Report all suspicious conversations to management

16
PC Log Off / Shut Down

• Please log off your computer when you are away
  from your desk for any extended amount of time
  and completely shut down your computer at the end
  of each work day.
• Leaving your computer logged on to the network
  opens the door for people to gain unrestricted
  access to our network and must not be taken
  lightly. Customers, vendors and people at large
  with computer savvy may be looking for the
  smallest window of opportunity to gain access to
  confidential information for notoriety or
  financial gain.
• Restart your PC workstation at the end of each day

17
Local Drives and flash drives

• Critical data should not be stored on Local
  drives, flash drives or CD ROMs
• Data on individual workstations is not adequately
  secured or backed up
• All data on the file server is backed up daily
  and is recoverable in the event of hardware
  failure
• The banks server has advanced security features

18
Acceptable Use

• Dont install any hardware or software on your
  computer workstation
• Cannot use the banks assets for improper
  purposes
• Instant messaging, gotomypc, etc
• Dont turn your virus detection software off
  (repeat)
• Email and Internet access
• Unauthorized installation or duplication of
  unlicensed software is prohibited by law

19
Physical Security

• Use of screen savers is very important!
• Lockup your work in progress
• Employees are responsible for securing computer
  equipment
• Be careful when transporting portable equipment
• Shred confidential documents frequently!

20
Contacts

• IT related incident, the contact order should be
• Non IT related incident (such as a robbery)

21
Summary

• Safeguarding customer information
• Its regulation
• It makes good business sense
• Take care of your customers information as if it
  was your own. Youre in the trust business