Infosec Awareness Latest

8/3/2019 Infosec Awareness Latest

1/33

January 2, 2012

Information Security Awareness Program


2/33

What is information ?

Characteristics of information

What is information Security ?

What is ISMS ?

Clearing desk and Clear screen policy

Desktop and portable device policy

Password Policy

Email policy

Internet policy

ISO 27001

Security awareness clips

CONTENT


3/33

What is information ?

BOB1St JAN

2011A12 Dubai IT Bangalore

Raw data

From above data , we can derive the following information:

On 1st of January BOB Travelled from Bangalore to Dubai by Kingfisher airline(IT)and his seat number was A12

Information is data that has been given meaning by way of relational connection.

Name

BOB

Date

1st JAN 2011

Airline

IT

Destination

Dubai

Seat No.

A12

Boarding

Bangalore

Structured Data


4/33

Confidentiality Integrity

Availability

Three characteristics ofInformation


5/33

What is Confidentiality?

Hey! my credit card number

is confidentialSo, is the business information

stored in your office system

Personal Business

Making sure only those people who are supposed to see the information see it.

Example :- A password or PIN number enforce confidentiality


6/33

What is Integrity?

I want my credit card to be

charged the exact amount

Data in sensitive system

should not be changed

without permission

Making sure only those people who are supposed to change (edit)

the information can change it.

Example :- File permissions enforce Integrity

Personal Business


7/33

What is Availability?

Keep backup of my

credit card statements in case

disputes arises

Backup of business data avoid

panic in case of systems failure

Making sure the information is available when the authorized people requires it.

Example :- Backup ensure availability

Personal Business


8/33

What is Information Security ?

Information security focuses on protection of Confidentiality,Integrity, and Availability of Information

Confidentiality

Integrity

Availability

Business Information


9/33

InformationSecurity Policy

InformationSecurity

Organizationalstructure

InformationSecurityStandard

InformationSecurity

process andprocedures

Administrative,Physical ,technicalcontrols

Monitoring &review systems

What is ISMS?

ISMS encompass the following


10/33

CLEAR DESK & CLEAR SCREEN POLICY


11/33

Objective:- Protect information stored in your computer and hard copy documents

from unauthorized Access

CLEAR DESK & CLEAR SCREEN POLICYCont..

How to practice this ?

lock your Computer using Ctrl + Alt + Del while you leave yourworkstation

If working on sensitive information, and you have a visitor to yourdesk, lock you screen to prevent the contents being read

When desks/offices are unoccupied, any confidentialinformation must be locked away in cabinets or offices

All waste paper, which contains any personal or confidentialinformation must be shredded or destroyed


12/33


13/33

DESKTOP & PORTABLE DEVICE SECURITY POLICY


14/33

Employees are responsible for taking backups of laptop/desktop data

Objective:- Protect information stored in your computer and avoid malware Propagation

Employees are responsible for physical security of their laptops,blackberry etc..

Use of external USB storage devices is restricted.

Always scan for viruses when copying or downloading files to yourcomputer from CD/DVD and other sources

How to achieve this?


15/33


16/33

Password policyPassword policy

To ensure protection ofinformation from unauthorized

access

Use Complex password, that is use combinationof alpha numeric and special characters

Use minimum 8 characters for your password

Change password before 90 days

Do not repeat last 5 passwords


17/33

Do not share your password


18/33

No password behind keyboard


19/33

EMAIL POLICY


20/33

Company confidential information must not be sharedoutside the Company, without authorization, at any time

Email Policy - Objective

How to achieve this ?

Use official mail for Company business only

Avoid information leakage


21/33

Email Policy objective :- Avoid legal issues

How to achieve this ?

BIAL retains the right to remove from its information systems any

material it views as offensive or potentially illegal

Ethnic & Racial harassment, abuse etc.. is strictly prohibited

Sending pornographic jokes or other contents of sexual nature viaemail, is considered sexual harassment and will be addressedaccording to HR Policy.


22/33

Do not forward chain mails


23/33

Here something that you might want to read it was on the news .Subject: FW: PLEEEEEASE READ!!!! It was on the news!

Dear friends,Something to share with all of u. Would u believe if this is true? Read on..... For those who need money badly and this is one opportunity totry it! I'm an attorney, and I know the law. This thing is for real. Rest assured AOL and Intel will follow through with their promises for fear offacing a multimill ion-dollar class action suit similar to the one f iled by PepsiCo against General Electric not too long ago.

Dear Friends,Please do not take this for a junk letter. Bill Gates is sharing his fortune. If you ignore this you wil l repent later. Microsoft and AOL are nowthe largest Internet companies and in an effort to make sure that Internet Explorer remains the most widely used program, Microsoft and

AOL are running an e-mail beta test. When you forward this e-mail to friends, Microsoft can and will track it (if you are a Microsoft Windowsuser) for a two week time period. For every person that you forward this e-mail to, Microsoft will pay you $245.00, for every person that yousent it to that forwards it on, Microsoft will pay you $243.00 and for every third person that receives it, you will be paid $241.00. Within twoweeks, Microsoft will contact you for your address and then send you a cheque.Regards.Charles S. BaileyGeneral Manager Field Operations

[CONTACT DETAILS REMOVED]

I thought this was a scam myself, but two weeks after receiving this e-mail and forwarding it on, Microsoft contacted me for my address andwithin days, I received a cheque for US$24,800.00. You need to respond before the beta testing is over. If anyone can afford this Bill Gatesis the man. It's all marketing expense to him. Please forward this to as many people as possible. You are bound to get at leastUS$10,000.00.

We're not going to help them out with their e-mail beta test without getting a little something for our time. My brother's girlfriend got in on thisa few months ago. When I went to visit him for the Baylor/UT game. She showed me her check. It was for the sum of $4,324.44 and wasstamped "Paid In Full".

Like I said before, I know the law, and this is for real Intel and AOL are now discussing a merger which would make them the largestInternet company and in an effort make sure that AOL remains the most widely used program, Intel and AOL are running an e-mail betatest.

Sample Hoax email-1


24/33

Sample Scam email-2

Mr.Tim J W TookeyGroup Finance Director ofLloyds Banking Group25 Gresham Street, London EC2V [email protected]

Good day,

I am Mr. Tim J W Tookey, the Group Finance Director of Lloyds Banking Group. I personally discovered a dormant account with a total sum of $85,000,000.00

[EIGHTY FIVE MILLION DOLLARS] during our Bank's Annual Year Account Auditing.

Since the death of the deceased, nobody has operated in this account till date. Moreover, this account has NO BENEFICIARY attached to it. Definitely, this fund willbe confiscated by our BANKING CODE OF ETHICS if it remains dormant for a period of [10] year without any claims. In this regard, I earnestly need your fullcooperation in transferring this money out of our bank to avoid our bank confiscating this fund.

HOW THE TRANSACTION CAN BE HANDLED: As the group finance director of our bank, all our client account details and file are in my possession and that makesit easy for me to include your name as the beneficiary of the fund in all necessary documents involving the money we wish to transfer out from our bank.

Most importantly, you will be required to:(1). Act as the original beneficiary of the funds.(2). Receive the funds into a business/private bank account.

(3). At the completion of this transaction, the sharing rates shall be 50% for me while 50% for you.

Note: I will split the transfer into two 2 stages for easy and smooth transfer. Firstly, the sum of $80,000,000.00 will transfer to any valid foreign account you willnominate, then upon a successful transfer without any disappointment from our side; I will then fly to meet you in your home destination for sharing, thereafter we will

jointly transfer the remaining balance of $5,000,000.00. I will also like us to invest some part of the money in your country.

If you accept to work with me, you will be given 50% of the total money as your share and 50%. So the main question is, will you partner me in this transaction. If youare willing to cooperate in this projectthe get back to me on my private email address [email protected] view my identification link:

http://www.lloydsbankinggroup.com/about_us/directors/executive_directors.asp#timtookeyI AWAIT YOUR URGENT REPLY.

Yours Truly,Mr. Tim J W Tookey


25/33

INTERNET ACCESS POLICY


26/33


The use of internet by company employees is permitted &encouraged where such use is suitable for business purpose &supports the goals & objectives of the company by

Providing internet access to all computer users

No time based restriction

Internet Policy

Objective:- Utilize technology for better productivity

Objective:- Avoid information leakage

Sending pornographic jokes or other contents of sexual nature viaemail, is considered sexual harassment and will be addressedaccording to HR Policy.

By restricting

Social networking sites

Instant messaging

Personal Network storage & backup sites

Publishing/disclosing any business sensitiveinformation on personalwebsites/portals/blogs/social networking sites


27/33


Restricting Internet access only to acceptablecategory of websites & contents.

Internet Policy

Objective:-Avoid legal action by

Monitoring internet use from all computers & devicesconnected to BIAL network

Logging internet access details and retaining it forforensic purpose


28/33

Phishing


29/33


30/33

Sample Phishing email


31/33

Sample Phishing email


32/33

PHY

SIC

AL

&ENV

IRON

MEN

TAL

SECU

RITY

POLICY


33/33

Documents

Infosec Awareness Latest