Download presentation
Presentation is loading. Please wait.
1
Security Awareness Computer Security
2
Why is it important for us to protect our data and be aware of the threats that put your program at risk? Client information, employee information and Bank account details – all of this information can be hard to replace and potentially dangerous if it falls into the wrongs hands. Privacy – is a personal choice whether to disclose information. Privacy is often referred to as the right to control information and decisions about oneself. Confidentiality – means a responsibility to protect the information that someone else has shared. It is a promise that (1) the advocate will not intentionally disclose information, (2) the advocate will take protective measures to prevent inadvertent or unlawful disclosure of information, (3) the advocate will vigorously challenge any attempts to take the information. When an advocate promises confidentiality to a survivor, the advocate is saying, “Regardless of who else knows this information, I will fight to make sure no one hears it from me.”
3
What is Computer Security?
Computer Security is the protection of computing systems and the data that they store or access. How is this achieved? Passwords Network configuration Training Computers drastically reduce the amount of physical storage space required at an agency to store documents and records. About 250,000 pages of text fit on one CD‐ROM (700MB). Computers are now routinely sold with hard drives of 500 GB to 1TB, so the storage capabilities are endless. Computers allow for the creation of court databases, offender management systems, protection order registries, or other databases that allow agencies and organizations to effectively carry out their tasks and responsibilities more efficiently. Computer hard drives have the potential to become defective and stop working. If this occurs, all the data stored on that hard drive can be lost instantly. If that hard drive is from an agency’s network or server, which holds all the shared files, thousands of files and historical data can also be lost. It is good practice for agencies to have policies in place that promote the practice of doing regular backups to store data to ensure that valuable information is not lost forever.
4
What is “sensitive data”?
Sensitive personally identifiable information (PII) is data that can be traced back to an individual and that, if disclosed, could result in harm to that person. Give examples of what sensitive data YOU handle every day. List on flip chart. Make the point that we deal with A LOT of sensitive data.
5
Sensitive Data Case Notes Medical information
Personally identifiable financial information Unique identifiers (passport/ SS#/ Birth Certificates) Photos Sensitive data should be encrypted both in transit and at rest!!
6
Threats To victims To programs Violating privacy / confidentiality
Risk of additional violence to victims Identity theft Negative outcomes in attempting to escape domestic violence (divorce, custody, etc.) Loss of information To programs Confidentiality violations Harmful in community relationships if we are seen as untrustworthy Risk of invasion – hacking Financial liability (lawsuits, etc.) Loss of information / records
7
Let’s start with passwords!
Use passwords that can’t be easily guessed Passwords should be at least 8 characters long with a mixture of upper and lower case letters, numbers and symbols. Passwords that can’t be this complex should be 10 characters long. Passwords shouldn’t be a complete dictionary word in any language spelled forward or backwards or followed by the number 1, your user name, a child’s name, pets name or birthdays. A longer password consisting of several words separated by spaces can actually be more secure and easier to remember. For instance, The hills are alive with the sound of music could be “Hills! Alive! Music!”. Use different password for different accounts. Activity: Create a password
8
Password Security (cont.)
Protect your Passwords Don't reveal your passwords to anyone, even if they say there’s a good reason. This includes co-workers and supervisors. Avoid writing your passwords down. PASSWORD MANAGERS: Passwords can also be stored securely in free and low-cost "password vault-type" encryption tools, including your computer's keychain. If you store your passwords in a file on your computer, don't include the word "password," "pwd" or anything along these lines in the filename or in the file, itself. If you need to write your password down on paper, safeguard the paper in a locked drawer or cabinet rather than posted on your monitor, under your keyboard, or in a drawer near your computer! Change initial passwords, password resets and default passwords the first time you log in. These passwords can be extra vulnerable to guessing or hacking. Activity: Create a LastPass account.
9
Password Security (cont.)
Enable two-step/Multi-Factor authentication or other layers of protection where available Adding another layer of protection means someone needs more than just your password to get in. Examples include use of a one-time code in addition to a password, typically sent via text, app, or voice when you want to log in; thumb scans (biometrics); and lockouts after several incorrect login attempts. Have everyone enable two step authentication with lastpass.
10
Data Security Develop clear policies and procedures that outline privacy practices for handling sensitive victim data. The content of the record, how long it will exist, and who may have access to it Limit the number of users who are authorized to view the most sensitive information. When determining access levels, your organization must consider safety risks. Hire a trusted and skilled consultant or security firm to test the security of your network and data protection procedures. Victim Service Providers must protect the lives of victims (and their data) to the same levels. Screening, training, and background check processes of individuals who have access to sensitive information Procedures for the secure disposal of computers or other electronic media that contain client identified data. Ensure data is destroyed. Use a drive wipe utility to overwrite each sector of your hard drive making the data unrecoverable. Dispose of the desktop or laptop by using a local electronic recycling company. Donate to another agency.
11
Internet Web pages with URLs that start in "http" not "https" can put information at risk of being intercepted by malicious people. Don’t provide personal, sensitive or confidential information online unless you are using a trusted, secure web page. At a minimum, look for “https” in the URL to indicate that there is a secure connection. Get to web sites by typing the web address in directly. Don’t click or cut and paste links in unsolicited s. Remember that links and web sites that look legitimate can really be bogus sites designed to steal information or infect your computer. Be especially careful about what you do over wireless. Information and passwords sent via standard, unencrypted wireless are especially easy for hackers to intercept (most public-access wireless).Only use known, encrypted wireless networks when working with sensitive information. Set devices to “ask” before joining new networks so you don’t unknowingly connect to insecure wireless networks. Never assume that , instant messages (IM), texts or attachments are private or confidential. Visit Paypal, Facebook to show the lock in the address bar.
12
Downloads, programs, files
What's the risk of downloading programs and files? They can harbor behind-the-scenes computer viruses and spyware, or open a "back door" giving others access to your computer without your knowledge. To help protect your computer and data: Only download files, apps, and plugins from trusted sources. Don't download plugins to view pictures, videos, music and other content online without verifying their legitimacy. These often contain malware. Don't download unknown software or files. Be especially cautious about free software offered online or via . Use file sharing software with caution. Improperly configured file sharing software can allow others access to your entire computer, not just to the files you intend to share. Viruses and other malware can be transmitted by file sharing software; files offered by others may not always be what they say they are. Don't open unsolicited attachments. If in doubt, contact the sender and ask if the attachment is legitimate. Avoid using untrusted portable media, such as a stranger's flash drive. If the flash drive is infected, it will infect your computer. 3A: what examples of file sharing programs? Google Drive, Dropbox, icloud, Google Keep, Office 365.
13
Internet & Don’t click on unknown links or attachments in , texts, social networking sites, or pop-up ads/windows. These could compromise your computer or take you to malicious web sites designed to steal information. Just opening a malicious web page or attachment can infect a computer. Make sure you know where you’re going before clicking on a link or opening something. Instead of clicking on an unknown link – including “tiny URLs” – look up the website yourself (e.g. Google it) and go there on your own. If you can't verify that something is legitimate, DELETE IT! Can they forward to their IT person to review? Yes, Include in subject line suspicious or something of that sorts.
14
Email Always consider the following before hitting the "send" button:
Can you reduce the level of sensitivity? The easiest way to protect confidential information is not to send it in the first place. Is it possible to de-sensitize the information before you send it? Should you be ing it at all? Can you use the telephone or send a paper copy instead? Can you minimize the amount of confidential data you are sending? Always read the entire message before adding to it, replying, or forwarding. Delete confidential data that does not need to be included. Start a fresh when you're starting a new subject. Don't just add it on to another -- especially one that contains confidential data. Include as little confidential data as possible in the new . Limit distribution of any containing confidential data to the smallest audience possible.
15
Email (cont.) Who are you sending it to?
Don't distribute or forward confidential data widely or casually. Don't forward confidential data without appropriate authorization. If you absolutely have to send confidential data electronically, only send it to people who absolutely need it. With , check the entire "to" and "cc" fields before you hit "send" to make sure you know everyone you're ing. Remove extra addresses. Don’t use mailing lists if you're sending confidential data. Is it labeled correctly? and files containing confidential data should clearly say so. Examples of language to include in files or “Confidential data: Do not redistribute or forward” “Confidential – Not For Public Disclosure” "The information in this is confidential and intended solely for the use of the individual(s) to whom it was addressed. If you're sending an , start the subject line with the word "CONFIDENTIAL". Avoid using personal accounts to send work-related s. How can you get authorization to forward / share / distribute? If it is client data, get a release of authorization, If from meant for agency purposes only, include in agency purposes only. How can you use the BCC field to protect confidentiality? To protect the address from being published to those they don’t know. Also remove any addresses in the body of the .
16
Antivirus Anti-Virus Protection and Software or Hardware Firewalls are important security steps for any organization with Internet access. Corporate and Business addition of antivirus, updates itself and can be set to do automatic scans. Antivirus Software ESET Symantec McAfee Kaspersky Trend Micro Never deactivate your computer's antivirus or other protective software. Set them to update frequently and automatically. Basically, the message here is to not ignore Anti-virus messages and keep in contact with their IT person
17
Wireless Networks Wireless networks are not as secure as wired networks Using a VPN (Virtual Private Network) Wireless networks are inherently less secure than wired networks because it is easier to intercept information transmitted through the air than information transmitted via a phone line or Internet cable. Encryption is just one of several ways that wireless computer networks can be made more secure; however, even a secured wireless network is not appropriate for highly sensitive information (e.g. personally identifiable victim information). What is a VPN? (Virtual Private Network) How a VPN works: A VPN uses a special protocol to establish a virtual channel between two machines or two networks. Imagine if you could blow a soap bubble in the shape of a tube and only you and your friend could talk through it. The bubble is temporary and when you want to have another conversation, you would have to create another bubble. That's kind of like a VPN's channel. This channel is actually a temporary direct session. This is what is commonly referred to as tunneling. Then the VPN also exchanges a set of shared secrets to create an encryption key. The traffic traveling along the established channel is wrapped with an encrypted package that has an address on the outside of the package, but the contents are hidden from view. It's sort of like a candy wrapper. You can see the candy, but you don't really know what the candy looks like on the inside. The same thing happens with the encrypted traffic. The original contents are hidden from view, but it has enough information to get it to its destination. After the data reaches its destination, the wrapper is safely removed.
18
Identifying A Scam Social Engineering Key indicators of a scam
You are being asked for personal or private information, your password, financial account information, Social Security Number, or money. Unexpected/unsolicited with a link or an attachment Scare tactics or threats stressing that if you don't act quickly something bad will happen Social engineering - The practice of trying to trick or manipulate people into breaking normal security procedures is called “Social Engineering”. The principle behind social engineering and scams in general is that people are the weak link in security – that it can be easier to trick people than to hack into computing systems by force. Social engineers exploit people’s natural tendency to want to trust and be helpful. They also take advantage of our tendency to act quickly when faced with a crisis. The scams described on this page are all classic examples of social engineering. Key indicators: Scams commonly use , the internet, or the telephone to trick people into revealing sensitive information or get them to do something that is against policy.
19
Identifying A Scam (cont.)
Key indicators of a scam (cont.) Promises of something too good to be true. This includes bargains and “great offers,” or links to claim an award/reward. Requests that you forward s, attachments, links, etc. to your friends, co- workers or family Other indicators that an isn’t legitimate: It’s not addressed to you, specifically, by name. The sender isn’t specified, isn’t someone you know, or doesn’t match the “from” address. It has spelling or grammatical errors. It has a link that doesn’t seem match where the says the link will take you, or an attachment with an incorrect or suspicious filename – or a suspicious file extension (e.g.: *.zip, *.exe, *.vbs, *.bin, *.com, *.pif, *.zzx) It has a link/attachment to view an unexpected e-card or track an unknown package It includes links to pictures or videos from people you don’t personally know
20
Phishing Some examples include:
“There’s a problem with your account” – trying to trick you into sending your password or clicking on a link in order to fix a problem. Phony security alerts – , pop-ups or Facebook notices warning that your computer is at risk of being infected, typically with a link to click. Money Phishing – trying to trick you out of money or bank/credit card account info. Often by pretending to be someone from another country who needs assistance accessing a large sum of money. Or a friend stuck in another country without any money. Or an IRS agent claiming that you owe taxes and must pay immediately over the phone. Phishing - Phishing is a scam designed to steal information or passwords, compromise computers or trick you out of money - typically via deceptive s, texts, posts on social networking sites, pop-ups or phone calls. A phisher may ask for your name, account information, date of birth, Social Security number, address, etc. They may also try to get you to click on a link or open a file.
21
Phishing (cont.) Impersonation "Microsoft computer support" scam
Ransomware Activity: Visit sonicwall together Impersonation: Attackers pose as someone in authority, or an IT representative, in order to obtain information or direct access to systems. Attackers may research the target so they know enough to convince you to trust them. Another example of this is the "Microsoft computer support" scam. Someone supposedly from the Microsoft or Windows Support Center calls you and tells you there's a problem with your computer, or someone's trying to hack in. They usually have you run some simple commands then they ask you to install something that will allow them to "fix the problem". They might send you an attachment or a link, or just read you a URL. Following the instructions will give them full access to your computer to do whatever they want. Ransomware: Scams that lock your computer and you have to pay money to get it unlocked. A classic example is: You get a popup telling you that there is a problem with your computer. The popup offers you free or cheap "anti-virus" to fix the problem. After you install the fake anti-virus, it locks your computer and you have to pay to get it unlocked. Another recent variant is that the popup prompts you to sign in with your windows account or or something in order for "Windows" to fix the problem. After you sign in, the program locks your browser. In order to unlock it you need to buy "anti-virus" for $200 or $300. This is also a double-whammie because you also give the attacker your credit card information.
22
Malware Malware is short for malicious software, is any software used to disrupt computer operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising. Viruses - A computer program usually hidden within another seemingly innocuous program that produces copies of itself and inserts them into other programs or files, and that usually performs a malicious action (such as destroying data) Worms - a worm is a stand-alone malware program that actively transmits itself over a network to infect other computers. Trojans - Trojan horse, or Trojan, is any malicious computer program which misrepresents itself to appear useful, routine, or interesting in order to persuade a victim to install it. Spyware - Spyware is software that aims to gather information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the consumer's knowledge. Adware - Adware, or advertising-supported software, is any software package that automatically renders advertisements in order to generate revenue for its author.
23
How to Protect Yourself
Make sure your computer is protected with anti-virus and
all necessary security "patches" and updates, and that you know what you need to do, if anything, to keep them current. Don't respond to , instant messages (IM), texts, phone calls, etc., asking for your password. You should never disclose your password to anyone. Don’t give sensitive personal, financial, log-in, business, system or network information to anyone you don’t know or who doesn't have a legitimate need for it -- in person, over the phone, via , IM, text, Facebook, Twitter, etc.
24
How to Protect Yourself
Don't open files, click links, or call numbers in unsolicited s, text messages, IMs, Facebook postings, tweets, etc. Don’t click on links in pop-up ads/windows; don't respond to them in any way. Use your web browser’s pop-up blocker, if it has one, to help prevent these ads from getting through. Don’t open files: Instead of clicking on a link, look up the website yourself by a method you know to be legitimate – or contact the sender separately by a method you know to be legitimate to verify. Malicious links can infect your computer or take you to web pages designed to steal your information. Malicious attachments can infect your computer. Even seemingly legitimate links and attachments can be harmful. If you can't verify something is legitimate or it seems suspicious, ignore, delete it or contact your IT provider Cryptic or shortened URLs (e.g. Tiny URLs) are particularly risky because you can't easily tell where they are supposed to go.
25
Desktop /Laptop Security
Make use of password protected screensaver and lock your screen before leaving your desktop. Activity: Set this up together Shut down, lock, log off, start screensaver, or put your device to sleep before leaving it unattended<ctrl><alt><delete> or <Windows key><L> on a Windows PC Apple menu or power button on a Mac Set your device to "lock," "sleep," "auto log-off", or go to screensaver when you're not using it (max. of inactivity 10 minutes)
26
Flash drives and external hard drives
Password protect your flashdrives Network Security Activity: create password for flashdrives Physically secure laptop computers and mobile devices at all times. Keep them with you or lock them up. (lock in a cabinet or keep locked in your office) Don’t leave portable devices unsecure. ( such as cd/dvd/flash drives, laptops, mobile phones, external hard drives.) Don’t leave mobile devices unattended in public areas. Don’t leave sensitive data laying around. Shred sensitive data. Be sure to backup devices regularly!
27
Tablets Password protect your tablets
Password protection, use pin, fingerprint.
28
Cell phones – work and personal!
Screenlock Fingerprint Activity: set up access code with them!
29
Rules of thumb to remember!
Physically secure laptop computers and mobile devices at all times. Don’t leave portable devices unsecure Don’t leave mobile devices unattended in public areas Don’t leave sensitive data laying around Be sure to backup devices regularly! Activity: Go around the room and say 1 thing that they will do differently after today. Physically secure - Keep them with you or lock them up - lock in a cabinet or keep locked in your office Portable devices – insecure ( such as cd/dvd/flash drives, laptops, mobile phones, external hard drives.) Give some examples of sensitive data - Shred sensitive data when you are able to
30
Useful Links https://en.wikipedia.org/wiki/Malware#Trojan_horses
pdf
31
Questions
32
Contact information Clara Crite Technology Assistant | OASIS, Inc. P: (270) F: (270) W: A: P.O. Box 315, Owensboro, KY 42302
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.