CYBER SECURITY TRAINING Virginia Marine Resources Commission MIS Dept. October 2012

Who What When Where Why

Why? State Per 100,000 Population 1. Alaska DC New Jersey Nevada Colorado Ohio Maryland Florida Virginia Washington104 Top 10 State Complainant Rates per 100,000 FTC News The Crime Complaint Center (IC3) reported the following statistics for 2011:

Commonwealth Information Security Incident Report 2011 VITA 2011 Report

Why Worry About Statistics? Computer systems have an inherent value to both the computer system owner and those malicious individuals who seek the data stored on the computer systems and the available processing power the computer systems possess. Malicious individuals may also be interested in taking over the computer system to store illegal materials or launch attacks that will be traced back to the compromised system instead of the malicious individual

Why Worry? Websites can be disabled and unavailable Office/home computers can be damaged by a virus Hackers can break into our databases and steal identity information, not just our customers, but yours as well! Malicious users could use our systems to attack other systems Cyber Security

DID YOU KNOW? A Microsoft Windows computer system without the appropriate patches can be exploited in as little as five minutes. A modern desktop computer can send 200,000 spam s an hour. Networks of exploited computers can be rented for targeted attacks via web stores controlled by Bot Owners. BOTS

We Are Part of the Global Society Age is irrelevant. Young teenagers in various countries have used the internet to hack into the Pentagon sites Criminals have created international gang activity using the Internet as their medium with drugs, financial gain, human trafficking, etc. Criminals have created international gang activity using the Internet as their medium with drugs, financial gain, human trafficking, etc. Terrorist groups are using the internet to conduct their operations, recruit, and coordinate on a larger scale Terrorist groups are using the internet to conduct their operations, recruit, and coordinate on a larger scale Nation-states are using the internet to conduct reconnaissance and espionage. Stealing intellectual property is not an uncommon practice. INSA

What to Look Out for?

WHAT IS SPAM? The simple definition of spam is it is unsolicited –Product offers –Misdirection to allow installation of malware –Misinformation (denial of access)

WHAT IS PHISHING? According to Microsoft: Phishing is a type of deception designed to steal your valuable personal data, such as credit card numbers, Windows Live IDs, bank and other account data and passwords, or other information.Windows Live IDs Microsoft

TYPES OF PHISHING Fake account reset or mailbox over limit IRS, FBI and Treasury scams Credit Union and Banking scams Major events (Elections, Holidays) Social networking Web sites Fake Websites Websites that spoof your familiar sites using slightly different Web addresses Instant message program

EXAMPLE OF PHISHING From: Phillips, Sarah (DCR) Sent: Thursday, September 16, :22 PM To: Subject: Your mailbox has exceeded its size limit Your mailbox has exceeded one or more size limits set by your administrator. Your mailbox size is KB. Mailbox size limits: You will receive a warning when your mailbox reaches KB. You cannot send mail when your mailbox reaches KB. You cannot send or receive mail when your mailbox reaches KB. You may not be able to send or receive new mail until you reduce your mailbox size. To make more space available, Complete the Questionnaire Below: UPGRADE NOW If you clicked on this link it would bring you to a web site asking you to log in with your username. Once you do that you have provided the phisher with your username and password – we had one MRC user do this and within hours thousands of spam s were being sent under his address.

A keylogger is a malware software program (it can even be hardware) designed to monitor and log all keystrokes. This is one of the biggest threats of some malware since it can allow all information going through a computer to be stolen; Keyloggers are often set up to look specifically for items like passwords, confidential information, pin numbers, credit card account numbers, ssn – these are the most sought items wanted by criminals for fraud and identity theft. WHAT IS A KEYLOGGER? VIRUSLIST

WHAT IS SOCIAL ENGINEERING? According to Microsoft: The purpose of social engineering is usually to secretly install spyware or other malicious software or to trick you into handing over your passwords or other sensitive financial or personal information.

TYPES OF SOCIAL ENGINEERING Phishing Spear phishing hoaxes Telephone or in person fraud Shoulder Surfing NIGERIAN SPAM

FAKE ALERT VMRC had numerous cases of Fake Alert Trojans in our agency. In each case, the PC had to be reimaged and data was lost. Remember if you see a pop-up similar to one on the right, turn your computer off immediately and contact MIS personnel. Do not click on anything in an attempt to close this type of fake alert window – just a single click executes and installs the malware. As always, any suspicious computer behavior should be reported immediately to any MIS personnel!

WHERE: WORK AND AT HOME

Dont be a Statistic, Use Common Sense Online! YOU ARE THE PRIMARY DEFENSE AGAINST CYBER ATTACKS: SYMANTEC – 90% of malware requires human interaction MANDIANT – 100% of successful APT (Advanced Persistent Threat) attacks compromised the human

PROTECT YOUR PERSONAL INFORMATION Dont give out your name, or home address, phone, account numbers or SS number without finding out why it is needed and how it will be protected Monitor your - dont respond to unknown or unsolicited When shopping online, take measures to reduce the risk- ensure lit lock or https: (secured) sites are used Read the company privacy policy

PROTECT AGENCY SENSITIVE DATA By statute, sensitive personal information means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the commonwealth, when the data elements are neither encrypted nor redacted: 1) Social security number; 2) Drivers license number or state identification card number issued in lieu of a drivers license number; or 3) Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a residents financial accounts; What is Sensitive Data?

PROTECT AGENCY SENSITIVE DATA By statute, sensitive medical information means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted: 1)Any information regarding an individual's medical or mental health history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or 2) An individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records. What is Sensitive Data?

PROTECT AGENCY SENSITIVE DATA Remember: ** By statute, at MRC, confidential harvest information is also considered sensitive data

PROTECT AGENCY SENSITIVE DATA Your Role in Protecting Sensitive Data Sensitive data must never be electronically transmitted by , ftp, flash drive or any other means unless it has been encrypted All sensitive data must be stored on the assigned designated network location Never copy sensitive information to non-network locations (hard drive) unless properly authorized Sensitive data will only be used for legitimate business purposes Report all unusual behavior and malware events as soon as possible If authorized to store sensitive data on a computer, the agency approved encryption program will be used to secure data Employee Sensitive Data Handling AcknowledgementAll users in the agency are required to sign the Employee Sensitive Data Handling Acknowledgement form located on our website. This form serves as your authorization to store sensitive data electronically in a non-network location. If you do not remember completing this form or have any question if you are authorized to handle sensitive data please contact Erik at x72262.Employee Sensitive Data Handling AcknowledgementEmployee Sensitive Data Handling Acknowledgement

ENCRYPTIONENCRYPTION Unless authorized otherwise, store sensitive data only on your designated network drive; if sensitive data is on the network it does not have to be encrypted, but use common sense and encrypt the file if a significant amount of sensitive data is included If you are required to carry sensitive data on a mobile device, that data is to be encrypted and you must obtain permission to do so by the agency ISO and Commissioner All encryption software will be installed by MIS personnel only Never ever send unencrypted sensitive data in an ! Call in the information to the designated person or obtain the proper software from the Commissioner to encrypt it in an

PASSWORDPASSWORD Your password is the key to your computer, dont make it readily accessible. Never place your password out in plain view. Keep it secured! Never share your password. Your IT person should never ask for your password!

USER IDs & PASSWORDS Change your passwords at a minimum of every 90 days If your password is comprised or if you suspect a malware infection, immediately change your passwords – always contact your Information Security Officers if this occurs Dont reuse your previous passwords Dont use the same password for each of your accounts NoWhen your computer prompts you to save or remember your password, click on No

STRONG PASSWORD Use at least eight characters, including numerals and symbols Avoid common (dictionary) words Dont use your personal information, login, or adjacent keys as passwords Use variety of passwords for your online accounts

PASSWORD TIP Use memorable phrases, such as I hate Mondays! Alter caps with lowercase, numbers, and use symbols: Example: Using this format gives you the opportunity to use the same password for long time. Simply change at least two characters and most policies will allow you to keep the same password.

LOGOFF OR LOCKUP When leaving your desk, remember to logoff or CTRL-ALT-Delete to lock your workstation alt

SECURITY SOFTWARE AT HOME, MAKE SURE THE FOLLOWING PROGRAMS ARE UP-TO-DATE: –Anti-Virus Software –Firewalls –Anti-Spyware and Malware Software – Scanning –Windows Updates –Application Software Windows XP Firewall Windows XP Firewall

UPDATES AT WORK Note MRC COV PCs are auto updated by VITA, but you should still monitor your McAfees virus program to ensure it is working properly This can be accomplished by: - Go to Start Menu>All Programs>McAfee>VirusScan Console - Check to confirm that your McAfee Auto Update and (Managed) Weekly Enterprise Scan has ran in the last week; if not contact the MIS department for further guidance

UP-TO-DATEUP-TO-DATE At home, in order to protect yourself and your computer you need to ensure that you Operating System and Web Browser is up-to-date Security patches are frequently updated, so check regularly! Or better yet, set your windows and browser to auto-update. Microsoft

BACKUP YOUR DATA One of the biggest errors people make is not backing up their data! Depending upon your use: For work we back up network drives every night (we do not backup local C: drive files, so use the network drives for almost all work) For home you should strive to back up your original files like word documents, spreadsheets, and pictures at least weekly Windows XP Backup

MOBILE DEVICES Secure your laptop with a cable lock or store it in locked area or locked drawer Keep all devices with you during air and vehicle travel until it can be locked up safely. Do not forget to retrieve it after passing through airport security. –Always keep your Blackberry and flash drives in a secure location. Maintain physical control of these devices! NEVER EVER store unencrypted sensitive data on these devices! Limit exposure of your mobile phone number Be choosy when selecting and installing apps Set Bluetooth-enabled devices to non-discoverable Avoid joining unknown Wi-Fi networks and using public Wi-Fi hotspots Dont use third-party device firmware to change access to your device US-CERT

SECURITY TIPS DO NOT send unencrypted sensitive data in an ! - Always contact MIS if you need to send confidential data by Watch out for phishing s Store critical s in your personal folders COV accounts must not be auto forwarded to any external accounts Never ever click on an untrusted link in an , always type the link in the browser. HINT: Hover your mouse over an link, without clicking, if the web address is different from what you would expect it may be phishing or malware website! Do not open attachments from unknown sources!

EXAMPLE OF VITAs MAILBOX SIZE LIMIT ALERT From: Microsoft Outlook Sent: Thursday, September 20, :00 AM To: Subject: Your mailbox is almost full. Importance: High Your mailbox is almost full. Please reduce your mailbox size. Delete any items you don't need from your mailbox and empty your Deleted Items folder. 163 MB 200MB ** Remember VITA will never send you a hyperlink in this for you to click on**

WIRELESS SECURITY If you are issued a VPN FOB, never attach your pin to the device and always secure your device Always secure air cards like you would any mobile device Be alert when using a public wireless network, never transfer or access sensitive data while attached to one! Hint: Try to avoid the use of public wireless network whenever possible

WIRELESS NETWORKS Ensure your wireless network is setup as a secure wireless network: networking/setup/wireless.mspx

REMOTE ACCESS Only authorized personnel are allowed to access their network drives remotely Dont use public WIFIs to access the VMRC network server Secure all VPN fobs as if it is a laptop computer and never attach your pin to the device Remember to never access sensitive data in a public location

WHEN TO CONTACT MIS AND OTHER AGENCIES

When to Contact MIS? Contact any of your MIS personnel and supervisor about any cyber security incident!

Contact MIS for Software Installation Remember to never install software on any device (computer, USB, blackberry, etc.) without permission from the ISO. This is to ensure we have met all licensing and copyright requirements.

Contact MIS for Account Access MIS has an automated data system account request process. This process replaces the paper form signatures used in the past. Supervisor will initiate new account requests by logging into the portal:

Contact MIS for Account Access Supervisors will login the portal with their address as the username and password (use forgot password link if you are unsure of your password) –On the System Access menu select if request is for citizen or employee and follow the instructions given –After the request, the assigned custodian will receive an requesting approval –Next, the system owner receives an an requesting approval –Once all approvals have been granted, the user, supervisor, custodian, and system owner receive an stating the account has been created or documented The final notification include terms of use and initial instructions. For agency owned systems the user must also actively acknowledge terms of use on their first login For non-agency owned systems the user, supervisor, custodian, or system owner may all have to be involved to set up the necessary access to the external data

Contact FTC When Identity Theft Occurs File a complaint with the Federal Trade Commission: Place a fraud alert on your credit reports, and review your credit reports. This can be accomplished by contacting one of the nationwide consumer reporting agency File a Police Report Close the accounts that have been tampered with or opened fraudulently

WHO IS IT? You dont open your door at home without ensuring who is at the door, ….So why would you not take the same precaution online!

Thank You! Thanks for going through the training today. MRC security web pageMRC security web page Information Security is critical at work and at home. We appreciate you taking the time to learn the contents of this training and highly encourage you taking some time regularly to read up on security topics. Use our MRC security web page to access more information on security and access account request information. Also available on our security web page is the Agency Information Security Policy – all users should be familiar with the policy and their responsibilities for security as an agency employee.MRC security web page Please contact Erik Barth (x72262); Linda Farris (x72280) or your supervisor if you have any questions about this training or information security topics in general.

References FTC NewsFTC NewsFTC NewsFTC News MicrosoftMicrosoftMicrosoft VIRUSLISTVIRUSLISTVIRUSLIST INSA WikipediaWikipediaWikipedia Stay Safe OnlineStay Safe OnlineStay Safe OnlineStay Safe Online OnGuard OnlineOnGuard OnlineOnGuard OnlineOnGuard Online MULTI-STATE SHARING AND ANALYSIS CENTERMULTI-STATE SHARING AND ANALYSIS CENTERMULTI-STATE SHARING AND ANALYSIS CENTERMULTI-STATE SHARING AND ANALYSIS CENTER United State Computer Emergency Readiness TeamUnited State Computer Emergency Readiness TeamUnited State Computer Emergency Readiness TeamUnited State Computer Emergency Readiness Team VITA 2011 ReportVITA 2011 ReportVITA 2011 ReportVITA 2011 Report WebsenseWebsenseWebsense