Upload
others
View
11
Download
0
Embed Size (px)
Citation preview
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR.
Information / Data Security Awareness
ASR International Corporation An ISO 9001:2015 Certified Company
Assessed at SEI CMMI Level 3
Over 30 years of extraordinary support to a wide variety of industries.
ASR Training Material
Security Application Series- SEC 001- DOR 20130618
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 2
Information / Data Security
Cyber attackers / criminals are relentlessly targeting information / data assets
such as intellectual property, engineering designs / know-how, supplier
information, trade secrets, customer lists, financial information, emails,
customer account information, etc. Several well known companies - Google,
Adobe, Yahoo, Symantec, and many others have all been victims of cyber
hacking!
During your tenure with ASR, you will work with or have access to sensitive /
classified / Government / proprietary commercial information. It is your
responsibility to protect this valuable asset. Unauthorized (or unintentional)
disclosure or loss of information / data could lead to grave financial and
reputational loss / damage for ASR / customers / suppliers leading to negative
relationships with customers. In addition, this could result in possible civil and
criminal sanctions resulting from noncompliance with national, state and federal
laws!
Information / Data Security is Everyone’s Responsibility!
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 3
Why Information / Data Security Awareness?
Information / data security is not about technology. It is about people.
Advanced information security systems deployed to stop hackers, phishers,
spies, saboteurs, and cyber criminals / attackers are often compromised by the
complacency, inattention or incompetence of the users! You can unknowingly
pose information security risks in several ways:
Carelessness with password or use of weak passwords,
Opening email attachments from dubious or suspicious sources,
Not logging off from the network or the internet connection after use,
Using wireless connections in an unsecure manner,
Reduced emphasis on physical security resulting in loss or theft of your
laptop, portable devices, mobile devices, storage devices, smart phone etc.
containing valuable data and information.
It is essential that you understand the vulnerabilities of cyber space because
you can unintentionally or unknowingly endanger the computer system /
network of ASR / customer / supplier network with grave consequences.
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 4
Why Information / Data Security Awareness (Cont’d)?
With companies becoming more reliant on information assets, cybersecurity,
which was considered an IT issue, underpins almost all business initiatives.
Cyber attacks / security breaches inflict significant financial and reputation
losses and may even jeopardize national security!
Do you realize that you could be targeted?
Do you know what constitutes a “suspicious contact”?
Do you know what to do if you suspect that you are being targeted?
Do you know that deleting files from a storage device merely removes
information the computer needs to find the files – it only removes the
pointers and changes the file name. “Deleted files” can be recovered. Hard
drives / storage devices / unwanted computers must be must be disposed off
properly in a secured manner to prevent their unauthorized use,
Do you know that cyber attackers can take control of your computer / system
and remove / transfer / modify / delete valuable data and information,
If you are using a mobile device for ASR assignments, do you have it
(strong) password protected? Insecure or weak passwords on a stolen / lost
mobile devices are a growing source of data vulnerability and loss / theft,
Do you know who are the Security Contacts within ASR?
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 5
Human Factors
“The human factor is typically the most critical variable in information security systems. Even the best policies and technologies can be rendered completely ineffective if users do not take responsibility for safeguarding the information they control.”
Amit Yoran, former Director of USA’s National Cyber Security Division,
Department of Homeland Security, National Security Institute Article,
“Improving Security from the Inside Out, a Business Case for Corporate
Security Awareness,” Medway, MA.
Some of the factors that cause security breaches are:
♦ Natural tendency to gossip,
♦ Natural tendency to discuss your work / assignments / projects ,
♦ Natural tendency to correct mistakes,
♦ Want to change another person's view point,
♦ Implied knowledge,
♦ Sympathy,
♦ Provocation,
♦ Ignorance,
♦ Flattery,
♦ Common interest.
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 6
Trade Secret, Proprietary Information Elicitation
“Financial, business, scientific, technical, personnel, customer, economic
or engineering information in the form of plans, patterns, compilations,
prototypes, devices, formulas, techniques, processes, proposals,
presentations, check-lists, documentation, procedures, programs,
codes…. whether “tangible or intangible” and regardless of how stored,
compiled, memorialized, (physical, electronic, graphic, photographic,
audio recording, or written)….and the company has taken reasonable
measures to keep such information secret, and the information derives
independent economic value (actual or potential) from not being
generally known to or attainable by the public…” What’s not a trade
secret!
Elicitation: The process of obtaining information under the guise of a
social or professional conversation. If done correctly the subject does not
even know that he/she is being interrogated. The individual is unaware
that he/she is unwittingly providing information.
how stored,,
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 7
Cybersecurity
Cybersecurity concerns can be divided into three broad areas:
♦ External / outside threats: These involve computer system attacks using
viruses, malware, botnets, phishing scams and worms, etc. initiated by
hackers. These are designed to steal data / information, or take over a
computer system to make it inoperative or use it for sabotage. Sometimes
fraudulent sites are created to capture valuable information such as bank
account numbers / credit card numbers, personal identity information, etc.
and used for criminal activities,
♦ System Failures: These are the result of the vulnerabilities embedded in the
software. The identification, management and control of such system
weaknesses through intensive testing, and implementation of patches, is an
important step in ensuring the security of the cyber infrastructure,
♦ Internal risks: These are due to the human factors which can undo and make
ineffective the most sophisticated security safeguards, firewalls and
systems. The insider threat / risks may originate because of malicious
intents of the perpetrator/s but in most cases it is because the users lack an
understanding of the basic cybersecurity principles and the methods used by
hackers to compromise information / data,
A trained, and aware user is the best cybersecurity defense!
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 8
Common Cyber Threats
Phishing and Spear Phishing Uses email to deceive your to disclose personal /
organizational information,
Spear Phishing is directed towards a specific group
or an individual,
Tactics Email that appears to be from person of authority /
position or a legitimate company / organization. It
may have attachments / links that contain malicious
programs that embed into the computer and takes
control of your computer. Any attached devices such
as web cameras, microphones are covertly operated.
Data and information is sent to a rogue computer,
May promise you a reward or dire consequence if
you ignore the suspicious email,
Directs you to links to a malicious website which
looks legitimate,
Asks you to update / validate information on a site or
by clicking on a link,
Preventive Actions Do not open suspicious emails, attachments. Delete
them,
Do not click on suspicious links,
Ensure that antivirus software on your computer is
current and updated. However do not depend on
antivirus virus software alone!
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 9
Common Cyber Threats (Cont’d)
Malicious Software (Malware) Software that damages the computer or may make it
behave erratically. Malicious SW includes:
Viruses,
Trojan horses,
Worms,
Keyloggers,
Spyware,
Rootkits,
Backdoors,
Tactics Malicious code is distributed by:
Email attachments,
Downloaded / shared files,
Visits to infected web site,
Use of removable media – USB, CD, DVD,
Preventive Actions View email in plain text format,
Scan all attachments,
Delete emails / attachments from suspicious sources
/ senders,
Block malicious links / IP addresses, unnecessary /
unused ports at the firewall / host,
Turn off automatic downloads.
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 10
Common Cyber Threats (Cont’d)
Weak Passwords Use of weak / default passwords is the reason for the
most easily exploitable vulnerabilities leading to
serious cybersecurity threats,
Passwords based on information specific to you
(name, dates, cities, pet names) which are easily
found out,
Tactics Exploits typical user inclination to use the same
password across different sites / systems /
computers,
Cracking of passwords of less secure sites,
Preventive Actions Use combination of letters, numbers, special
characters as allowed by the system,
Do not uses personal information as passwords,
Periodically change your passwords,
Do not save passwords / login information in your
browser,
Do not share your password,
Do not use personal information as passwords,
Do not use common phrases or words as passwords.
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 11
Common Cyber Threats (Cont’d)
Unpatched or outdated
software with vulnerabilities
Software with know vulnerabilities which has not
adequately been patched is an easy target for cyber
hackers to access information,
Tactics Unauthorized system access,
Unauthorized data transmission,
Unauthorized hardware or software access to further
exploit the vulnerabilities,
Hacker access data / information and corrupts or
deletes / erases it,
Hacker sabotages the system,
Preventive Actions Stay current with the patches and updates,
Do not rely of firewall alone to protect against all
attacks,
Do not attach unauthorized / suspicious devices
(USB, external drive) to your system,
Watch for suspicious activities - unauthorized
network access, unauthorized / excessive email
traffic.
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 12
Information Collection Techniques
Unsolicited correspondence - “Shotgunning”, email,
Exploiting legitimate access,
Direct submission of Request For Information (RFI),
Information available on the social media sites,
Social networking,
Emotional approach,
Eavesdropping, cyber espionage,
Elicitation,
Recruitment,
Direct monitoring,
Threats or blackmail,
Simply asking,
Technology seminars, trade shows,
Unsolicited requests for information / offers of assistance
Listening to conversations at bars / restaurant / airport / hotel lounges
Spyware, cookies, malicious software (malware),
Systems / network hacking,
Phone tapping, interception of communications.
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 13
Example of Suspicious Email
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 14
Example of Suspicious Request For Information
From: [email protected]
Sent: Thursday, July 07, 2005 9:04 AM
To:
Subject: Requested Information
Hello, I am Ekanga Adani, a Indian AD Officer, who is a grad of OAC 3-98,
Ft. Bliss. What I need is Air Defense, particularly SHORAD lessons
learned from OIF. I would appreciate your assistance if you could.
Please send any information to me by my email [email protected].
Thank you.
Ekanga Adani, Cpt, AD, IND.
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 15
Suspicious Contact - Examples
Personal, telephone, e-mail and written communications (including blogs,
chats, twitter, social media sites), asking questions “beyond normal business
scope, not relevant, beyond requirements”,
A favorite MO (Modus Operandi) is to place false information in public arena
/ internet / social media and have experts “correct” it,
Another MO is RFI – Request for Information – they just ask for information!
Attempts by unknown / unverified callers / contacts to obtain information on
people and assignments, projects, equipment, customers,
Incidents before and during travel:
Luggage / belongings tampering,
Same hotel room every trip,
Sense of being followed / observed,
“Beyond normal business scope” questioning by people whose identities /
motivation / purpose are not known,
Contact the ASR Security Director, Facility Security Officer for further
information / clarifications. The ASR contact (phone, email, address)
information is provided on the last slide of this presentation.
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 16
Example of Suspicious Contact
-----Original Message-----
From: FBI [mailto:[email protected]]
Sent: Tuesday, July 31, 2007 7:02 PM
Subject: Dscovered
The Federal Bureau of Investigation (FBI), discovered through our intelligence Monitoring Network, that you have an on going transaction with some fraudsters who claim to be legally transacting business with you through the internet.
The fraud starts has been arrested and they are right now in the FBI custody. They confessed that they scammed you of some amount of money which we will not disclose to you right now until you fill the form below for verification of ownership. Your money will be sent to you as soon as we have verify that you are the really owner of the money we recovered from the fraudsters.
Please not that you have been legally declared innocent in the transaction between you and the fraudsters because you were deceived by the fraudsters and do not know what you were doing, so do not be afraid of filling the form below and have it sent back to us via this email address ([email protected]).
PAYMENT RELEASE ORDER FORM
1. FULL NAME
2. AGE/SEX
3. NATIONALITY
4. AMOUNT THAT WAS SCAM
5. RESIDENTIAL ADDRESS
6. PHONE NUMBER
7. HOME ADDRESS
Thanks for your understanding and we are sorry for the inconvenience this may has caused you all this while
We await your responds to this mail as soon as possible.
Regards,
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 17
Security Cleared ASR Team Members
If you are a security cleared ASR Team member, you must understand and
comply with the applicable security procedures / requirements, security
classification specifications and guides as applicable to your assignment.
Some of the security procedures / practices that must be followed:
♦ Protect the information,
♦ If you travel abroad, contact the applicable Security Office in advance to
obtain information and security guidance on your destination country,
♦ Do not leave company, customer or other sensitive items / information in
hotel rooms or hotel safes,
♦ Do not discuss sensitive information outside of official company or U.S.
Government offices,
♦ Keep sensitive information in your personal possession at all times, and only
take such information with you, as required, when on official trips,
♦ Refrain from using business cards / other indicative labels as luggage tags,
♦ Do not indicate your affiliations when registering at a hotel,
♦ Avoid potentially hostile or dangerous situations (large crowds and riots),
♦ Ignore or deflect unwarranted inquires or conversation and provide
nondescript answers.
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 18
Security Cleared ASR Team Members – (Cont’d)
Your security clearance does not give you approved access to all classified
information. It gives you access only to information at the same or lower
level of classification as the level of the clearance granted; and that you
have a "need-to-know" in order to perform your work,
Do not carry out excessive / abnormal intranet or internet browsing from
your work-related computer / network,
When doing your job, you are expected to limit your requests for information
to that which you have a genuine need-to-know,
Refrain from discussing classified / sensitive / proprietary information in
hallways, cafeterias, elevators, rest rooms, public areas or smoking areas
where the discussion may be overheard by persons who do not have a
need-to-know the subject of conversation,
Don’t leave electronic devices unattended. If you have to stow them, remove
the battery and SIM card and keep it with you,
Shield passwords from view of others. Don’t use the “remember me” feature
on many websites; retype the password every time,
Don’t open emails or attachments from unknown sources. Don’t click on
unknown / suspicious links in emails.
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 19
Information Security – Good Practices
Our activities involve extensive use of email, mobile devices, and computers. We need
to protect our systems against cyber attacks, hacking and email misuse. When using the
office / home computer or a mobile device in connection with your ASR assignments,
cybersecurity procedures must be followed. Some useful tips:
♦ Access only those folders / systems / computers for which you are authorized,
♦ Don’t open emails, attachments, links from unknown people / entities, or unverified
email address. These may have viruses, malicious codes, trojan horses hidden in
them. Delete the emails / attachments promptly,
♦ If you see suspicious messages, activity on your work computer, inform the System
Administrator immediately,
♦ Do not attach unauthorized external devices (USBs, disk drives) to the ASR /
customer computer unless you are sure of their authenticity and source and you are
authorized / permitted to do so,
♦ Check if the antivirus SW on your computer is active and current,
♦ Protect your password. If you think that your password has been compromised, inform
the System Administrator promptly,
♦ Do not install any SW / application on the ASR / customer computer unless it has
been approved and authorized,
♦ Log off from the system when you are away from it for extended periods,
♦ Disconnect from the Internet when you are not using it.
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 20
Information Security – Good Practices (Cont’d)
Use the ASR / customer network to store all work related data and information so that
it is not lost because of power outage or surges,
Be suspicious of unsolicited phone calls, visits, or email messages from individuals
asking about your project, assignment, your colleagues or other ASR or customer or
supplier information,
Do not provide personal information or information about ASR, ASR customers or the
supplier / your assignment location etc., unless you are authorized by ASR and you
are certain of a person's authorization / need to know to have the information.
Avoid revealing personal or financial information in email,
Don't send sensitive information over the Internet before checking a website's
security,
Pay attention to the URL of a website. Malicious websites may look identical to a
legitimate site, but the URL may use a variation in spelling or a different domain (e.g.,
.com vs. .net; org. vs. gov.),
If you are unsure whether an email request is legitimate, try to verify it by contacting
the company directly,
Clear your browser after use: delete history files, caches, cookies, URL, and
temporary internet files,
Empty your “trash” and “recent” folders after use,
Change your passwords periodically,
Install and maintain current antivirus software, firewalls, and email filters.
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 21
Information Security Awareness Tips
Passwords Do not use personal information,
Do not use common phrases or words,
Change password regularly,
Combine letters, numbers, special characters,
Avoiding spear phishing / phishing
attempts
Do not access the web by selecting links in e‐mails
or pop‐up messages. Type the web address,
View e‐mails in the plain text,
Do not give out your password,
Avoid providing personal information in an email,
Emails Scan all attachments,
Delete e‐mail from senders you do not know,
Turn off automatic downloading,
Email with caution,
Do not email / forward e-mail hoaxes,
Avoiding computer viruses Scan files before uploading them to your computer,
Do no attach unknown, unauthorized devices to the
system – thumb drive, flash drive, CD, DVD, external
hard drive.
For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 22
Take Home Points - Security Awareness
♦ Recognize that there is a real threat,
♦ Identify and protect trade secrets, proprietary, confidential information,
♦ Protect all technical, customer, information / data,
♦ Use strong passwords,
♦ Exercise Need-to-Know for everything not just classified / confidential
information, watch requests beyond “the normal scope”,
♦ Safeguard your computer / password,
♦ Log off when you are finished using the computer system,
♦ Use wireless networks that you trust. Networks in hotels, cafes, libraries, airports
may not be secure,
♦ If you are using public computer, clear the browser cookies, clear the cached
files from the browser,
♦ Don’t talk shop in social settings, know your audience at all times,
♦ Beware of suspicious email, unsolicited contacts, telephone calls,
♦ Be careful of suspicious internet web sites,
♦ Avoid downloading of files from unknown web sites / email senders,
♦ Do not overlook virus protection. Since new viruses pop up every day, scan for
new viruses frequently if you are a heavy Internet user or receive large volumes
of unsolicited e-mail.
23
ASR International Corporation
580 Old Willets Path, Hauppauge, NY 11788, USA
Phone: +1 631 231 1086 Fax: +1 631 231 1087
Email: [email protected] Website: www.asrintl.com
23 For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR.
An ISO 9001:2015 Certified Company
Assessed at SEI CMMI Level 3