Presentation on theme: "Information Security Awareness Training"— Presentation transcript:
1 Information Security Awareness Training WelcomeWhy is this important…Identity theft is the #1 fastest growing crime in the (world)According to the Multi-State Information Sharing and Analysis CenterCyber Crime is big business costing 24 countries $388 billion in 2011Cybercrime has affected 431 million adults around the world in the past yearForty-Four percent of all online adults have experienced cyber crime in the last yearForty-two percent of younger children (grades 4-8) have been cyber bulliedMany of us has (direct or indirect) access to sensitive data. Custodians, data entry people, call center employees, HR, IT, Healthcare.UMMS Information Security Office
2 What is Information Security? InfoSec is the protection of data in all formsElectronic filesStatic filesDatabase filesPaper documentsPrinted materialsHand written notesPhotographsRecordingsVideo recordingsAudio recordingsConversationsTelephoneCell phoneFace to faceMessagesFaxVideoInstant messagesPaper messagesWhether or not an employee uses a computer in their job,We must consider that sensitive data can be found in many forms-Above List-and data is now everywhere including on your smart phone and other mobile devices. If your mobile device is not password protected and becomes stolen or lost, you risk exposing UMMS sensitive s to cyber criminals.Papers printed and left on the trainFace-to-face conversations, FAX, telephone calls…Visible computer monitors with sensitive data can cause a reportable breach, and worse – the school may not even know it happened, much less – respond to it.
3 Why is this Important? A data breach could result in: Requirement to report the lossHIPAA, FERPA, MGL c.93H, PCI, SOX, othersCivil and criminal penaltiesDamage to organizational reputationLoss of revenueIndividual accountabilityPotential impacts of breachHIPAA fee structure$50k per record up to $1.5M (annual maximum)Criminal, Civil fines, Organizational reputation, Lost revenue (unlike TJX), Individual accountability (including YOU and I!!)
4 Isn’t this just a technical problem? Technology defenses comprise roughly 15% of our controlsTechnical controls often cannot compensate for user’s behaviorCyber-criminals focus on users as a weak link in securityHaving a security-aware workforce is a requirement in today’s threat landscapeTechnology continues to keep out most “legacy” threats, (viruses, etc.) and many new ones.Technical controls are like a seat belt in a car. The seat belt (control) helps protect you but you need to be a good driver to avoid accidents (malicious attacker).Users who click on SPAM or who visit infected web sites invite malware inside our network perimeterGetting users to click on the “bad things” is the focus of cyber criminals. These are organized criminal syndicates.Employees knowing not to click on suspicious content is today’s best defense.
5 What are the risks? Evolving “Threat Landscape” Older attacks targeted infrastructureModern attacks target usersNature of threat landscapeOver 90% of Cyber thieves are affiliated with organized crimeTheir sophistication rivals those of commercial software vendorsMethods of infectionCyber thieves attack high-volume web sitesComputers that visit the site become infected-borne ‘malware’Infected machine “phones home” to say I’m infectedUse the infected computer to strengthen their hold on the organization“Attacks” used to consist of mostly harmless, but annoying website defacements and viruses. These attacks were obvious and relatively unsophisticated.Today’s attacks are quiet, below the radar, and impactful.90% are perpetrated by organized crime, and cross multiple international jurisdictions, typically those that do not have good diplomatic relations.Attackers have an arsenal of easily accessible (u can even rent the service!), sophisticated tools such as the Black Hole exploit kit. These tools are quickly updated with the latest software vulnerabilities often before a “fix” is available from the software vendor.Methods of infection: “Poisoned web site”, borne “badness”, each gives the attackers a ‘toe-hold’ on the target.
6 Social Engineering and Top Techniques Social engineering is: “the art of manipulating people into performing actions or divulging confidential information”. E.G.Reply now in order to keep your account from being deletedDid you see this video of YOU? Check out this link!Click here to see a message from your secret admirer.You’ve won the big sweepstakes! Click here to claim your prize.Can you hold the door for me? I don’t have my access card.Hi, I’m the rep from the copier company and I’m here to see Jeff.“APTs”Mitnick quote.Have any of these happened to you?APT – Advanced Persistent Threat. – Highly sophisticated organized crime using state of the art tools to go after a very specific target of a specific business. E.G. Highly sensitive research data, PHI, PII. Determined until done. Willing to wait weeks or longer to get the data.Example: Close to home – user receives from at first glance appears to be from “IT Department” – account is about to be deleted, need to reply immediately with username and password so account is not deleted. User replies “Is this legit?”. Response “Yes”. User sends credentials unknowingly to a person of malicious intent. Fortunately able to catch quickly a change password before damage done.Dead giveawaysIS will NEVER ask for your username and password. Against AUP. NEVER SHARE YOUR PASSWORD! Accountability.URGENT – must do NOW!Sender address was not from ISAsk a reputable source to confirm a real request – The Helpdesk.Before I turn to the next slide – Who owns a Flash/USB drive? Show.Amateurs target systems-Professionals target people -Kevin Mitnick
7 An Honest MistakeTo work at home you copy sensitive information onto a handy USB flash drive.You lose your flash drive.The data which you took from your secure work computer is now possibly in the hands of someone who can use it inappropriately. The likelihood of this scenario is increasing as the use of convenient plug and play devices like USB flash drives becomes more common.Who owns a Flash/USB drive?How would you prevent from happening?VPN to you desktop from home. Keep data at work where it is secure!!Example: Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. To Pay $1.5 Million To Resolve HIPAA Charges - and take a series of corrective actions. Stolen non encrypted laptop that contained patient info.All UMMS issued laptops are required to be encrypted via IS.
8 What can I do? Become aware of cyber threats Understand that YOU are often the front line of defense against cyber threatsSelect a strong password, and never share it!!Remain guarded when working with data, , WWWUnderstand data sensitivity and how to manage data appropriatelySafeguard information that is entrusted to youReport suspected InfoSec incidents (UMass Help Desk, UMHD)Develop awareness of these problemsUnderstand that YOUR computer habits can either invite or discourage people of malicious intentUnderstand the sensitivity of data that is entrusted to you, and know how to handle it.Report suspected incidents…
9 Security Resources UMMS IS Help Desk 508-856-8643 Look for our IT Security postings on Inside.umassmed.eduUMass Security Policy:Take the MSISAC Cyber Security Pledge: https://msisac.cisecurity.org/cyber-pledge/Daily tip: https://msisac.cisecurity.org/daily-tips/Security ResourcesHelpdeskMOTD/Alerts on Inside.umassmed.eduPolicyPledgeDaily tips