Security Awareness - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

Security Awareness

Description:

Password Security ... Internet worms, bot-nets and trojan programs can be installed on your PC simply ... A Web search for 'hacking' will return lots of information. ... – PowerPoint PPT presentation

Number of Views:6727
Avg rating:3.0/5.0
Slides: 36
Provided by: SystemsAdm4
Category:

less

Transcript and Presenter's Notes

Title: Security Awareness


1
Security Awareness
  • Protecting the credit union in the new millennium

2
Table of Contents
  • Security Awareness defined
  • NCUA Part 748 and GLBA
  • New and Emerging threats
  • Information Security Policy
  • Password Security
  • Physical Security
  • Social Engineering
  • Member verification
  • Business computer usage

3
Why Security Awareness ?
  • Many security incidents occur due to internal and
    human weaknesses. Ensuring that a credit unions
    sensitive information and critical customer data
    remain confidential is the responsibility of
    every employee.
  • It is estimated that as much as 75 of the threat
    to sensitive data is from inside the credit union!

4
NCUA Part 748 and the GLBA
  • From Part 748, Appendix A
  • Each federally insured credit union will
  • develop a written security program within
  • 90 days of the effective date of insurance.
    The
  • security program will be designed to
    Protect
  • each credit union office from robberies,
  • burglaries, larcenies, and embezzlement

5
Information Security
  • Ensure the security and confidentiality of member
    records, protect against the anticipated threats
    or hazards to the security or integrity of such
    records, and protect against unauthorized access
    to or use of such records that could result in
    substantial harm or serious inconvenience to a
    member.

6
Incident Response
  • Respond to incidents of unauthorized
  • access to or use of member information
  • that could result in substantial harm or
  • serious inconvenience to a member.

7
Forensics
  • Assist in the identification of persons who
    commit or attempt such actions and crimes

8
InformationProtection
  • Each federally insured credit union must prevent
    destruction of vital records, as defined in 12
    CFR part 749.
  • Each Federal credit union, as part of its
    information security program, must properly
    dispose of any consumer information the Federal
    credit union maintains or otherwise possesses, as
    required under 717.83 of this chapter

9
Gramm-Leach-BlileyAct
  • Gramm-Leach-Bliley ActEach agency shall
    establish appropriate
  • standards to
  • Ensure the security and confidentiality of
    customer records and information.
  • Protect against any anticipated threats or
    hazards to the security or integrity of such
    records.
  • Protect against unauthorized access to or use of
    such records or information which could result in
    substantial harm or inconvenience to any
    customer.

10
What is sensitive information?
  • From 38CFR748 Appendix B
  • For purposes of this Guidance, sensitive member
    information means a member's name, address, or
    telephone number, in conjunction with the
    member's social security number, driver's license
    number, account number, credit or debit card
    number, or a personal identification number or
    password that would permit access to the member's
    account. Sensitive member information also
    includes any combination of components of member
    information that would allow someone to log onto
    or access the member's account, such as user name
    and password or password and account number.

11
The NCUAs IST Program
  • The Bottom Line
  • Create an environment of strong
  • Information Security Awareness!

12
Emerging threats
  • Hackers are becoming more organized and a wealth
    of tools are available to them.
  • Phishing and other social engineering scams are
    increasing at an alarming rate.
  • Spam continues to infect thousands of business
    computers with key loggers, viruses, and hybrid
    threats.
  • Malicious websites can install spyware and other
    Trojans on your machine simply by you visiting
    their site.

13
Security Awareness includes
  • Information Security Policy
  • Password security
  • Physical security
  • Phishing, Pharming and social engineering
    awareness
  • Responsible use of business computer
  • Mobile technology security

14
Change Your Perception
  • Every employee shares the
  • responsibility of maintaining a secure
  • environment and securing sensitive
  • information!
  • Security is a necessity, not a burden
  • Be proactive, adopt good security habits

15
Information Security Policy
  • A strong Security Policy provides the basis for
    the credit unions entire security program.
  • A well-developed Security Policy is the result of
    collaboration among stakeholders drawn from many
    departments.
  • The Security Policy will be the first thing
    Information Security Auditors will ask to see.
  • It is critical that all employees read and fully
    understand the Credit Unions Security Policy

16
Information Security Policy
  • A Few Things a Security Policy Must Address
  • Access Rights
  • Password Construction Rules
  • Password Rotation Rules
  • Password Protection Policy
  • Backup and Disaster Recover Procedures
  • Virus Protection
  • Log review, Intrusion Detection, and Response
  • Legal Logon Banner
  • Staff Security Awareness
  • Appropriate Technology Use
  • And much more.

17
Password Security
  • Perhaps the most mundane yet all important
    counter measure to hacking is strong passwords.
  • Enforcing a security policy that includes strong
    password construction and rotation rules will
    help to alleviate many potential problems.

18
Password Security
  • Teach your old password some new tricks!
  • The more complex, the better
  • Use 1wUZb0rn19G8 instead of 04021968
  • Never write your password down! Remember, even
    the cleaning crew has full access to your office.
  • Change your password every month
  • Dont reuse your old password!

19
Password Security
  • Passwords should be at least eight characters in
    length
  • Passwords should be difficult to guess (i.e.,
    should not be words in a dictionary, derivatives
    of the Users ID, or common character sequences)
  • Passwords should contain at least one of each of
    the following character types upper case
    letters, lower case letters, and numerals
  • Passwords should contain at least TWO
    non-alphanumeric characters such as !_at_.

20
Physical Security
  • Physical security is an underestimated and often
    overlooked aspect of securing sensitive data.
    Physical safeguards are powerful ways to protect
    sensitive information and assets.
  • Failure to adopt secure behaviors leaves your
    data and all computers connected to the network
    vulnerable.

21
Physical Security Questions
  • Who was in my office and why?
  • Could they or did they read my e-mail?
  • Did they go through my electronic files, paper
    files or trash can?
  • Was sensitive information accessible?
  • What applications were open on my desktop?

22
Securing Your Environment
  • Always escort guests
  • Use door and drawer locks
  • Shred sensitive materials
  • Always secure sensitive materials when leaving
    your office
  • Secure portable devices with passwords and
    encryption

23
Physical Security
Things weve learned.
  • Smokers will usually allow us in the back door.
  • Employees wont stop you if you have a clipboard.
  • Administrative areas are not restricted.
  • Shredding policies are not enforced (Dumpsters
    contain loan applications, credit reports, etc).
  • PCs are left logged in. Unused network jacks are
    not unplugged in server room.
  • Wiring closets not locked.
  • PCs in the lobby for home banking access are
    behind the firewall and unrestricted.

24
Phishing and Social Engineering
  • Phishing is a common social engineering tactic
    whereby a hacker attempts to fraudulently acquire
    sensitive information such as usernames,
    passwords, social security numbers and account
    numbers.
  • Phishing is typically carried out using email or
    an instant message, and often redirects users to
    a fraudulent website created to mirror the
    legitimate site.

25
Sample Phishing e-mail
-----Original Message----- From Jack
SMTP_at_cu.org Sent Wednesday, April 11,
2007 1037 AM To Sue Employee Subject Confident
ial Please Read Immediately! Unfortunately we
had a member of management leave us and as a
security precaution we need a few individuals to
give us an account of this persons actions.
Since we need this information in writing, per
our security and compliance policy, we've setup a
template of questions that requires you to login.
Please use your normal network login and
password. http//68.153.63.169/secured.asp Thank
s! Jack
26
Sample Phishing e-mail
-----Original Message----- From Jack
SMTP_at_cu.org Sent Wednesday, April 11,
2007 1037 AM To Sue Employee Subject Confident
ial Please Read Immediately! Unfortunately we
had a member of management leave us and as a
security precaution we need a few individuals to
give us an account of this persons actions.
Since we need this information in writing, per
our security and compliance policy, we've setup a
template of questions that requires you to login.
Please use your normal network login and
password. http//68.153.63.169/secured.asp Thank
s! Jack
27
Phishing avoidance
  • First and foremost, never give sensitive
    information to ANYONE via e-mail.
  • Be aware of suspicious URLs. Always compare the
    link in the e-mail to the link youve been
    redirected to.
  • In the previous e-mail, the hacker asks you to
    click on the following link and provide username
    and password
  • http//68.153.63.169/secured.asp
  • Dont do it!!

28
Phishing Response Plan
  • If you believe youve been Phished, immediately
    notify your IT department.
  • Contact Law Enforcement www.ic3.gov. (But dont
    expect them to do anything).
  • Immediately notify members (usually via website).
  • Contact your Anti-Phishing provider.

29
Social EngineeringPhone scams
  • Hackers will call you pretending to be
    management, members or other officials.
  • Verify identity of each caller!
  • Report scam attempts to authorized department or
    individual.

30
Social EngineeringThe answer?
  • Policy Employees must read and sign (and
    understand!)
  • Training/Education At Orientation
  • and Continuing.
  • Checks Such as the ones described previously.

31
Member Services
  • Make certain you are talking to the actual member
  • If you ask too many questions members get
    annoyed.
  • If you dont ask enough questions other members
    get annoyed.
  • SSN, Mothers Maiden, address are easy to get.
  • Loan balance, loan payment date, etc. are
    difficult to remember.

32
Member ID Verification
  • Solution Passwords using a Challenge and
    Response System.
  • What was the name of your elementary school?
  • What was your first car?
  • What was your childhood pets name?
  • What is your fathers middle name?
  • What is your favorite (or least favorite) food?
  • What is your birth city?

33
Business Computer Usage
  • The internet can be your friend or foe
  • Internet worms, bot-nets and trojan programs can
    be installed on your PC simply by accessing a
    malicious web site!
  • Limit internet usage for business purposes only!
  • Internet chat services should be off-limits,
    except as explicitly outlined in your credit
    unions security policy

34
Business Computer Usage
  • Never open or preview any e-mail from an unknown
    source.
  • E-mail can contain viruses, trojans, bot-nets and
    fraudulent links
  • If you suspect you have opened a malicious
    e-mail, report the incident to your IT staff
    immediately!

35
Security Resources
  • www.cudefense.com
  • www.ncua.gov
  • www.sans.org
  • www.securityfocus.com
  • http//online.securityfocus.com/bid
  • www.ntbugtraq.com
  • www.cybercrime.gov
  • www.cve.mitre.org
  • www.gocsi.com
  • www.zone-h.org (under crime archive)
  • A Web search for hacking will return lots of
    information.
Write a Comment
User Comments (0)
About PowerShow.com