NUI Galway
Security Awareness
Training
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
1
Agenda
•
•
•
•
•
•
•
•
•
Introduction – Why do we need security?
•
Personal Responsibilities
What is Information Security
The Evolving Threat Landscape
Passwords
Social Engineering
Network Security
E-mail Use and Security
Mobile Computing
Information Security Incidents (who to tell, what to do, what not to
do)
© 2000-2008 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
2
Introduction
 The purpose of this brief is to raise awareness of security amongst
staff within NUIG.
 This training is designed to help you assess potential IT security
threats to the University’s systems and data.
 This training will help you respond in an appropriate manner to
these threats.
 Everybody is responsible and can help NUIG to be more secure
from IT Security threats.
 If unsure ASK!!, If suspicious REPORT!!!
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
3
Introduction –
Goals of Security Awareness
 Know the risks and threats regarding information security
 Know the basic terms of information security
 Understand the clear definition of a security incident: guidance as
to how one may be identified and how it should be dealt with and
reported
 Know responsibilities and reporting channels relating to
information security in the organization
 Know and understand the Information security policies, standards
and procedures for NUI Galway
 Where to obtain further information: websites, Departments and
People
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
4
Data Classification and Handling
 NUI Galway Controlled
Protection of information is at the discretion of the data owner - low risk of
embarrassment or reputational harm to the University.
 NUI Galway Restricted
The University has a legal, regulatory or contractual obligation to protect the
information with this classification. Disclosure or loss of availability or integrity could
cause harm to the reputation of the University, or may have short term financial
impact on the university.
 NUI Galway Highly Restricted
Protection of information is required by law or regulatory instrument. Strictly limited
distribution within and outside the University. Disclosure would cause exceptional or
long term damage to the reputation of the University or risk to those whose
information is disclosed, or may have serious or long term negative financial impact
on the University.
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
5
NUIG IT Data – What is it?
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
6
Why do We need Security ?
Security is an
Organisational
Issue
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
7
Why do we need security?
Because we all have information worth protecting:
Common Examples - Personal
Alarm Codes
Bank Account Statements
Birth Certificates
Bank Cards - Credit and Debit Card(s)
Bank Card Personal identification numbers (PINs)
Government Issued IDs - Passport/Driving License
Medical information
Social Security Number (SSN/PPS)
Taxation Records
Common Examples – Work Related
Alarm Code
Contact information (business or personal)
Personal private information
Customer information / Commercially sensitive
information
Students information
Staff/employee personal information
Credit card or Banking information
Internal Web site or file share (based on
sensitivity)
Published press release
Threats:
Personal
Work Related
Reputational / Brand Damage
Identity theft
Fraud
Fraud
Theft of property
Theft of property
Loss of privacy
Identity theft
Loss of privacy
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
8
Why do we need security?
Because legislation, regulations and policies require it:
Criminal Damages Act, 1991
Freedom Of Information Act 1997
Intellectual Property (Miscellaneous Provisions)
Act 1998
Copyright and Related Rights Act, 2000
Non-Fatal Offences Against the Person Act, 1997 Electronic Commerce Act, 2000
Child Trafficking and Pornography Act, 1998
S.I. No. 535/2003 — EC Data Protection and
Privacy Regulations 2003
Data Protection Act 1988, Data Protection
(Amendment) Act 2003
eCommerce Directive (2000/31/EC)
EU Data Protection Directive 95/46/EC 2002
European Communities (Data Protection)
Regulations, 2001
Regulations entitled European Communities
(Directive 2000/31/EC) Regulations 2003 (S.I. No.
68 of 2003)
NUIG Security Policies
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
9
Agenda
•
•
•
•
•
•
•
•
•
•
Introduction – Why do we need security?
What is Information Security
The Evolving Threat Landscape
Passwords
Social Engineering
Network Security
E-mail Use and Security
Mobile Computing
Information Security Incidents
Personal Responsibilities
© 2000-2008 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
10
What is Information Security
Web Filtering /
Email Filtering
Awareness and Training
Intrusion detection
Employee On-boarding
Technology
People
Anti-malware
/ Anti Virus
Employee exit
Encryption
Reference Checks
Processes
Incident Response
Vulnerability Management
Systems Development Lifecycle
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
Separation of Duties
Policies and Standards
Access based on business need
11
What is Information Security
 Confidentiality
 Information is only shared with or accessible by those who have a
legitimate or business “need to know”
 Integrity
 Preventing unauthorised modification
 Availability
 Services and systems are available when needed
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
12
Agenda
•
•
•
•
•
•
•
•
•
•
Introduction – Why do we need security?
What is Information Security
The Evolving Threat Landscape
Passwords
Social Engineering
Network Security
E-mail Use and Security
Mobile Computing
Information Security Incidents
Personal Responsibilities
© 2000-2008 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
13
Cybercrime Marketplace
$1-$6 US Credit card number
$2-$12 UK Credit card number
$5-$50 Medical ID card
$6-$18 Basic identity information
$7 PayPal account with credentials
$50-$500 PayPal verified with balance
$20 DDoS attack from bot army (per hour)
$30 Passwords to consumer credit reports
$50 to $60 Health/medical record
$140 10 million email addresses
$200 Malicious Software Toolkit
$500 20 million SPAMs sent from bot army
$100-$2000 Malware as a Service (MaaS)
$1000-$5000 Online banking accounts with a balance
$10000 0-Day Exploit
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
14
The Evolving Threat Landscape
Source: VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
15
Threats for 2008 -- 2011
More than 340,000 pieces of unique malware, one third
identified in 2007
More than 325 new unique pieces of malware identified
daily
90% of today’s malware is hidden or encrypted to steal
90% of today’s malware is hidden or encrypted to steal
data
data
Source: McAfee Avert Labs
One new infected webpage discovered every 14
seconds, or 6,000 a day
Source: Sophos Security Threat Report, 2008
Almost 20% of employees reveal their work passwords
to at least one other person
Source: Survey conducted by YouGov in the UK, commissioned by Dimension Data, 2008
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
16
Agenda
•
•
•
•
•
•
•
•
•
•
Introduction – Why do we need security?
What is Information Security
The Evolving Threat Landscape
Passwords
Social Engineering
Network Security
E-mail Use and Security
Mobile Computing
Information Security Incidents
Personal Responsibilities
© 2000-2008 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
17
Passwords
Passwords are the keys to access to lots of information and are
fundamental to security
NUIG’s Password Policy
Sets the minimum security standard for passwords
 Should be a minimum of 8 characters
 Will include 3 of 4 uppercase and lowercase letters, number or special
character
 Should be changed at least every 120 days, through CASS or directly within
the application as appropriate (the help desk can help where password
issues occur)
 Never share with others
 Do not write down and leave accessible
 Should not be easily guessable
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
18
Agenda
•
•
•
•
•
•
•
•
•
•
Introduction – Why do we need security?
What is Information Security
The Evolving Threat Landscape
Passwords
Social Engineering
Network Security
E-mail Use and Security
Mobile Computing
Information Security Incidents
Personal Responsibilities
© 2000-2008 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
19
Social Engineering
An attacker may seem unassuming, respectable, possibly claiming to be a new
employee, repair person, or researcher and even offering credentials to support
that identity.
Methods of approach:
 E-mail
 Telephone
 Face to face
 Websites (adverts)
Most common is the phishing scam, which is a form of fraud, used to commit
identity theft. The term “phishing” reflects the way that fraudsters trawl and
lure their victims through the net, rather like fishermen at sea. Spam e-mail is
the most common delivery mechanism.
Members of staff have previously been subject to this through their
@NUIGalway.ie account
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
20
Social Engineering - Phishing
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
21
Social Engineering
Things You Can Do to avoid security incidents
 Your systems is updated with security patches and antivirus and is
necessary, please allow your machine to shutdown and update when
requested.
 Don’t take emails or websites at face value. Be on your guard without being
paranoid!. Don’t forward these emails on to Colleagues, ISS or contacts
outside the organisation
 If in doubt contact the Service Desk
 Be extremely wary of any unsolicited request for personal or business
confidential information, especially if financial or other sensitive information
(such as passwords, PPS numbers or even server names) is requested.
 Never reveal personal, business or financial information in a response to an
e-mail request, no matter who appears to have sent it.
 Financial institutions NEVER include links to websites in e-mail messages or
request personal information by e-mail.
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
22
Agenda
•
•
•
•
•
•
•
•
•
•
Introduction – Why do we need security?
What is Information Security
The Evolving Threat Landscape
Passwords
Social Engineering
Network Security
E-mail Use and Security
Mobile Computing
Information Security Incidents
Personal Responsibilities
© 2000-2008 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
23
Network Security
Vital for each user to be aware of security measures, because one
user’s actions can and has affect the entire network at NUI Galway
Threats – Malicious code
 Virus
 Worm
 Trojan Horse
 Backdoor
 Active Content
 Spyware
 Adware
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
24
Website Filtering at NUIG
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
25
Network Security – Rogue Applications
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
26
Agenda
•
•
•
•
•
•
•
•
•
•
Introduction – Why do we need security?
What is Information Security
The Evolving Threat Landscape
Passwords
Social Engineering
Network Security
E-mail Use and Security
Mobile Computing
Information Security Incidents
Personal Responsibilities
© 2000-2008 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
27
E-Mail Use and Security
Disadvantages
include:
 NUIG ensures
anti-virus software is running and is up-dated.
 Privacy cannot be guaranteed
 Primary
Recognise
yourtoemail
and the

waythe
foraudience
maliciousfor
code
spread
potential (mis)use of any data included in that email.
 Vulnerable to:
 Spamof attachments in unexpected e-mails.
 Beware
 Chain letters
 Scams institutions NEVER include links to websites in e-mail messages
 Financial
or request personal information by e-mail.
 Hoaxes
 Can be misdirected, spoofed, or forwarded
 Never reveal personal or financial information in a response to an
e-mail request, no matter who appears to have sent it.
 If a suspicious email is received log a call for ISS to investigate but don’t
forward the email.
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
28
Email image blocking at NUIG
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
29
Agenda
•
•
•
•
•
•
•
•
•
•
Introduction – Why do we need security?
What is Information Security
The Evolving Threat Landscape
Passwords
Social Engineering
Network Security
E-mail Use and Security
Mobile Computing
Information Security Incidents
Personal Responsibilities
© 2000-2008 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
30
Mobile Computing
 Applies to the use of mobile devices that can store data such as
laptops, personal digital assistants (PDAs), IPAD’s, PAD’s and
mobile (smart) phones.
 Portable media includes devices such as USB keys, CD/DVDs.
 Particularly vulnerable to loss and theft.
 Personal computers must not be used at home for NUIG activities if
updated virus protection and security patches are not in place.
Consider who else may have access to sensitive information if your
personal computer is compromised.
 Staff should ensure that no sensitive NUIG information is on mobile
devices (USB, IPAD’s and mobile phones) – where it is the device
hosting the data should be encrypted.
 Passwords should not be written down or stored in laptop cases.
 Enable screen time-out of 15 minutes.
 Always switch off or lock you the device if temporarily leaving it
somewhere
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
31
Mobile Computing
 In the event of your mobile device or media becoming lost or
stolen, you must report the loss, as quickly as possible, to your
Carrier and ISS.
 Other Devices (USB, Laptop, CD/DVD portable hard drive) if lost
should be reported to ISS as soon as possible.
 Where data loss occurs the Data Protection Officer must be
notified in a timely fashion.
 There may be a requirement to notify the Data Protection
commissioner also dependent on the circumstances.
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
32
Agenda
•
•
•
•
•
•
•
•
•
•
Introduction – Why do we need security?
What is Information Security
The Evolving Threat Landscape
Passwords
Social Engineering
Network Security
E-mail Use and Security
Mobile Computing
Information Security Incidents
Personal Responsibilities
© 2000-2008 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
33
Information Security Incidents
An information security incident is defined as any information related
event or action that is not approved by policies. Examples include:
 Computer virus
 Loss of data
 Compromised password
 Denial of service
 Social engineering attack
 Theft
 Forged e-mail
 Misuse of IT systems
 Break-in (actual or attempted)
All Incidents, including Information Security Instances, should be
reported to the Service Desk immediately.
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
34
Agenda
•
•
•
•
•
•
•
•
•
•
Introduction – Why do we need security?
What is Information Security
The Evolving Threat Landscape
Passwords
Social Engineering
Network Security
E-mail Use and Security
Mobile Computing
Information Security Incidents
Personal Responsibilities
© 2000-2008 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
35
Personal Responsibilities
Our responsibilities are as set out in the following policies which are available:
1. Password Policy for Staff & Scholarships
2. Mobile Computing Policy
3. Partnering Policy
4. Remote Access Policy
5. IT-Asset Protection Policy
6. Logical Access Policy
7. Encryption Policy
8. Anti-Virus and Malware Protection Policy
9. End User Policy
10.Data Classification Policy
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
36
Personal Responsibilities –
User Security Policy
 Use NUIG’s computers only for lawful and approved purposes.
 Comply with safeguards, policies, and procedures to prevent unauthorised access
to NUIG’s computer systems.
 Choose good passwords and change them at least every 120 days. Never share
your logon or account password with anyone.
 Not forwarding NUIG emails to personal email (e.g. gmail, hotmail, yahoo)
 Not Forwarding chain or joke emails
 Not registering for paypal, ebay or other such websites with your NUIG email
address
 Not using the same NUIG password on external sites
 Storing sensitive NUIG information on non-NUIG device or computer( Personal
Laptop, IPAD and personal mobile phone).
 Use the internet appropriately.
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
37
Personal Responsibilities –
User Security Policy
 Use approved virus scanning software on your workstation or desktop and your
home computer. Scan files for viruses before execution.
 Know your data; properly classify and protect all data according to its sensitivity
and value.
 Ensure that your data is saved to the allocated server shares.
 Report known or suspected computer security incidents to your Information
Security officer.
 ISS Support the following security elements
 Encrypted laptops
 Secure FileSender service
 MacAfee
 Web filters
 Email scanning
 If in doubt, contact a member of the management team for assistance.
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
38
The most important Security Control
 Do not share your passwords with anyone (including your line
manager or Service Deks)
 Contact ISS in case of receiving any suspicious emails (but do not
forward the emails)
 Lock your mobile device (with a PIN)
 Report any incidents to the Service Desk immediately
 Be vigilant - it is likely that the most effective security control is
your own awareness
Service Desk contact: servicedesk@nuigalway.ie
© 2000-2012 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary.
39