28
© 2014 JurInnov, Ltd. All Rights Reserved November 8, 2014 Security Awareness Untangled Church Technology Conference Dr. Eric Vanderburg Director, Cybersecurity and Information Systems [email protected] @evanderburg (216) 664-1100

Untangled Conference - November 8, 2014 - Security Awareness

Embed Size (px)

DESCRIPTION

Security awareness for church employees. This presentation was given at the Untangled Conference on November 8, 2014. http://getuntangled.org/

Citation preview

Page 1: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved

November 8, 2014

Security Awareness

Untangled Church Technology Conference

Dr. Eric VanderburgDirector, Cybersecurity and Information [email protected]@evanderburg(216) 664-1100

Page 2: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 2

Process

Technology

People

10%

90%

How Security is comprised

Page 3: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 3

Things your mother probably told you

• Don’t accept candy from strangers– Infected devices

• It’s ok to ask questions– Challenge

• Don’t leave your things lying around– Clean desk and locked screen

• Be careful who your friends are– Social networking

• Avoid that area of town– Discretionary web surfing

Page 4: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 4

Security goals

Three Goals

ConfidentialityEnsuring that confidential university

information is protected from unauthorized disclosure

IntegrityEnsuring the accuracy and completeness of information and computer software

AvailabilityEnsuring that information and vital services

are accessible for use when required

Page 5: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 5

Malware

Detection

Defense

Computer seems slower than

usual, unexpected

restarts

Browser takes you to a

different site than you expected

Security software stops

working

Your hard drive is full

Antivirus software with updates and

regular scanning

Avoid unsolicited

email and links

Download from trusted sites Personal firewall

Increased number of

popup windows

Page 6: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 6

Computer Use

• Secure browsing• Updates• Popups and warnings• Certificate errors• Suspicious links• Deleted files are not truly deleted

Page 7: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 7

Remove the opportunity

•Location of office equipment– Printers & fax machines•Lock it down–Office doors– File cabinets, sensitive documents, personal items– Computers

• Windows OS: Ctrl-Alt-Delete [enter] or Windows L• Macs: Shift ( ) + Command ( ) + Q⇧ ⌘• Password-protected screensaver or Time-out• Don’t leave the computer unattended when logged into an account with

sensitive data (i.e., payroll, email, personal info)– Phones

Page 8: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 8

It’s ok to discriminate against data

• You can’t treat it all the same– Personal information– Financial information– Member information– Public information

• Where is all the data?– Head, paper, computer, server, backup, email

• What if we got rid of it?

Page 9: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 9

Data Protection

• Accessible only to authorized users• Physically locked down• Not out in the open• Encrypted• Password protected

Page 10: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 10

Encryption

• At rest– Full disk encryption– File encryption

• In motion– VPN– SSL

Page 11: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 11

Phishing

• Email• Text• Chat• Craigslist• Dating sites

Page 12: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 12

Phishing markers

• False Sense Of Urgency - Threatens to "close/suspend your account”, charge a fee or talks about suspicious logon attempts, etc.

• Suspicious-Looking Links - Links containing all or part of a real company's name asking you to submit personal information.

• Not personalized – does not address you by name or include a masked version of the account number.

• Misspelled or Poorly Written – Helps fraudulent emails avoid spam filters

Page 13: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 13

PHISHING

Subject: URGENT! Haiti Victims Need Your Help!

Subject: UPS Delivery Problem

Subject: You’ve received a greeting card

Subject: See Exclusive Photos of Michael Jackson’s Last Moments

Page 14: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 14

Protect yourself against phishing

• Treat all email with suspicion• Never use a link in an email to

get to any web page• Never send personal or financial

information to any one via email • Never give personal or financial

information solicited via email

Page 15: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 15

Passwords

• Passwords are THE KEYS TO:– Your bank account– Your computer– Your email– A server on a network– Many other things

Page 16: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 16

Passwords

• Passwords are like underwear– Change them often– Showing them to others can get you in trouble– Don’t leave them lying around

• Use different passwords for different purposes

Page 17: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 17

Passwords

• Length• Complexity• Passphrase• http://www.passwordmeter.com/

Length ComplexityStrong

Password

Page 18: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 18

THE KEY TO PASSWORD STRENGTH

• 2NiteWeparty*likeits1999• HowdoU”spell”thatAGAIN?• Amishwish4fish2squish• OunceI$good#isbetter!

Use a phrase, sentence, question or random

statement (with a twist)

• Website (time4anewpwagain.com)• Email ([email protected])• File (passwords/make/me/crazy)• Address 4223westmyhouse

Use fake website, email, file, addresse

• Follow the yellow brick road to OZ = Ftybr2OZ• Why did the chicken cross the road? = Y?dtCxtR?• Wildthing = W!ld*7H1ng!• Red Jello = R3d-j3llo:)

Use a phrase, random statement or

compound word; then shorten it and make it

nonsensical

Page 19: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 19

Email password theft - indicators

Receive a large number of rejected

messages

Find messages in your sent folder that you know you didn’t

send

Missing emailUnexplained changes

to your account settings

Spam Warning

Signs

Page 20: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 20

Identity Theft

• Thieves will…• Go on spending sprees using your

credit card• With your name and Social Security

number they can:– open new credit card accounts– gain employment

• Give your name to the police during an arrest• Establish wireless service in your name

Page 21: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 21

Identity theft – How it happens

• They may steal your mail, wallet, or purse

• Malware• Phishing• Social engineering– bribing or conning an employee

who has access to these records• Stealing personnel records or breaking

into your records electronically

Page 22: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 22

Social engineering

Social engineering preys on qualities of human nature: The desire to

be helpful The tendency

to trust people The fear of

getting into trouble

Page 23: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 23

Identity Theft - Indicators

• Bills that do not arrive as expected• Charges on your credit card that are not yours• Unexpected credit cards or account statements • Denials of credit for no apparent reason • Calls or letters from – Debt collectors– Businesses about merchandise or services you did

not make

Page 24: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 24

Identity Theft - Defenses

• Limit the number of credit cards you carry• Keep a list of all credit cards numbers and the

numbers to call to report them• Shred Information• Be diligent about checking statements• Order and analyze your credit report• Watch for Shoulder Surfing

Page 25: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 25

Identity Theft - Response

• Place a "Fraud Alert" on your credit reports• Close suspect accounts• Use the FTC’s ID Theft Affidavit• Keep Documentation about conversations• File a police report with local Law Enforcement• Report the theft to FTC– Online at Ftc.gov/idtheft– By phone 1-877-ID-THEFT (438-4338)

Page 26: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 26

Social Networking (Cont’d)

• Networking sites: – Used to meet people online, stay in touch with

friends, connect on professional levels– Use privacy setting on your account to ensure

maximum security– Be careful about who you accept as a “friend” – Be careful about the information you provide on

these sites

Page 27: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 27

What’s wrong with this picture?

Page 28: Untangled Conference - November 8, 2014 - Security Awareness

© 2014 JurInnov, Ltd. All Rights Reserved 28

Q&A

Don’t be shy…