View
217
Download
1
Category
Tags:
Preview:
Citation preview
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Paper
• Technology has not eliminated this risks Dumpster divers Mobile phones with cameras Opportunist
• Expectations Use appropriate shred bins
• Secure and empty personal bins daily Remove paper from printers/faxes/common areas as
quickly as possible Clean desk:
• Keep NPI out of site from public
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Verbal Communication
• Discussions containing NPI should be conducted in appropriate locations at appropriate volume
• Follow documented steps for authenticating users over phone What info can be communicated What is verification process What to do if call is suspicious
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Pretexting/Social Engineering
• Illegally gain access to customer information Methods:• Impersonating
– A customer– Another official within your institution– Another institution– Government regulatory agency– Law enforcement
• Red Flag (ID Theft) Rules
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Pretext Continued
• Indicators: Requesting address change Missing information Calls placed from numbers different than those listed on
account Callers reluctant or refuse to give a call-back number Odd request Aggressive callers Talkative callers Absentminded callers
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
External Personnel
• IT, HVAC, Printers, Plumbing, etc.• Verify• Log (have IT committee review)• Escort/Accompany
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Desk
• Public accessible areas Monitor placement Clean desk Lock drawers• Remove keys
Hide passwords• Lower level offices
Blinds Monitor placement
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Devices
• Work purpose only• Employee only
No friends or family• No removable drives (USB drives)
Unless prior approval Follow appropriate encryption policies
• Follow proper use policy - do not install any software (or hardware) without prior approval Includes iPods, MP3 players, etc. iTunes, WeatherBug, etc.
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Mobile Devices
• Mobile Policy Review Must sign before using Devices must be password protected Devices must support and use idle time lockout Must report lost/stolen devices immediately• Tracking capability
Remote wipe capability Encrypted storage
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Laptops
• Laptops removed from office Work purposes only• No personal Internet browsing
– Web browsing is primary way for device to be compromised
No one else allowed to use (friends/family) Do not leave in car Do not check at airport Do not store passwords with device Encrypted storage
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
• Follow (manual and automatic) encryption practices if message contains NPI
• Attachments - Receiving Never open from unknown source Never open from known source but in unsolicited email
• Attachments - Sending Do not use for personal use Do not forward jokes, chain letters, etc.
• Links Never open from unknown source Never open if unexpected from known source
• Familiarize yourself with common phishing attacks
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Social Media
• Do not access social media at work Unless authorized to manage institution’s social media
sites
• Do not post information about financial institution on social media unless preapproved
• Be careful of what information you share• Check security settings under “Settings” or “Options”
menus to limit access to personal information
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Passwords
• Passwords key to security success Weak or shared passwords open up vulnerabilities Grant access to computers and programs• Can not be shared, written down, sitting out
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Poor Passwords
• Contain less than 8 characters• Word found in the dictionary• Names of pets, family, friends, characters• Birthdays or other personal dates• Phone numbers• Addresses• Any of the above spelled backwards or
preceded/followed by a digit
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Good Passwords
• Contain upper and lower case character• Contain digits and punctuation characters• Have no personal information
(family/pets/etc)• Should change on regular basis (e.g. 60 days)• Not be a word, slang, or jargon
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Other Considerations
• Do not use same password for personal and business applications
• When possible do not use the same password for multiple sites, applications, programs, etc.
• Do not share with secretary, family members, friends
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Password Don’ts
• Don't reveal a password over the phone to ANYONE • Don't reveal a password in an email message • Don't reveal a password to the boss • Don't talk about a password in front of others • Don't hint at the format of a password (e.g. "my family
name") • Don't reveal a password on questionnaires or security forms • Don't share a password with family members • Don't reveal a password to co-workers while on vacation
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Passphrases
• Consider using passphrases Good because contain several words with usually
a high number of characters, upper/lower case and punctuation.
• Sample passphrase "TheTrafficOnThe101InTheMorningIsBad!" “I’mAlwaysLateToWork!”
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Letter Substitution
• Another good option is letter substitutionL=1o=0 Or O=()S=5 Or S=$E=3a=@i=! Or I=1t=+
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Letter Substitution
• JohnySmith = J()hny$m!+h
• Combine a passphrase with letter substitution for a really strong password
• ILoveMyBoss becomes !10v3MyB()$$ Which do you think is harder to break?
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Password Safe
• Consider a password management program• Find one that encrypts passwords and is
trusted• One free program is Password Safe
http://passwordsafe.sourceforge.net/
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
Incident Response Steps
• Detail steps• Detail personnel in steps• Review centralized place where all appropriate
documentation is maintained
The Technology Partner for Financial InstitutionsThe Technology Partner for Financial Institutions
More Resources
• Phishing: http://www.occ.gov/topics/consumer-protection/
fraud-resources/internet-pirates.html
• Info Security Video: http://www.ftc.gov/bcp/edu/multimedia/
interactive/infosecurity/index.html
Recommended