CYBER INFORMATION SECURITY AWARENESS AND PROTECTION PRACTICES Strengthening Your Community at the Organizational Level Las Vegas, Nevada 2012 Security Awareness and Why is it Important? In today’s economic climate, information is every organization’s most important asset and loss of it could be catastrophic. Beyond the loss of the asset itself, a breach of an organization’s network can result in: • Damage to organizational reputation • Loss of revenue • Assessment of fines and penalties • Significant costs to restore and protect customer data • Complete shutdown of business operations Beyond the organization, the potential risk to network systems that provide community services such as hospitals, financial institutions, or governments and public sector critical infrastructure; have the potential to put an entire community at risk if compromised. While no single solution will prevent every possible scenario, the protection of information as an asset is the responsibility of everyone in the home, community, and organization from the top down. Every member is part of the team and must take a leadership role for the protection of information and the systems that manage information. Building a strong Information Security Awareness Program is a key element that helps to ensure that information in your care, and the system(s) which store, process or transport information remain accessible and uncompromised. The person using the information is likely the weakest link in its protection and therefore, promoting a strong awareness program is vital to protecting the community as a whole. Information security includes cyber security and data security. Though some use these words interchangeably, when discussing information security, each has specific issues regarding the protection of different types of systems, data and information. An example of cyber security may be the systems used by a train to switch from one track to another or a missiles guidance system. An example of data security is how your computer and tablet store and discern one user’s ability to access data from another user. Information security can include the paper copy of your bank statement or email correspondence you had with a friend. Regardless of where on the security paradigm you sit, you are critical to the protection of your personal information, your company’s email service and even your community’s ability to offer services. Your correct use of an information software system can affect the continued use of other systems distant from you; perhaps those of which you have no knowledge- sort of like sneezing and spreading the germs. Your mouse clicks on an email link can launch an attack on a whole range of computer systems. Yes, your actions have that potential. Keeping with the sneezing analogy, protection of the community can be as simple as covering your mouth, washing your hands and getting a flu shot. Or in the information security world, NOT mouse clicking on unknown links, NOT sending unprotected information over email, and USING up-to-date virus software. Information security is not easy to get your arms around. Bad guys are releasing new attacks and launching social engineering schemes daily in an attempt to convince you to click on something. They are sitting near you at your favorite Wi-Fi hotspot and, if you read the paper, the headlines will tell you how they are launching “all out attacks” on our country and its infrastructure. Just like the sneeze, the community needs your help to prevent the spread of the problem. Information Security Myths- Hackers Are Not Interested In Me. The following, Myths, are examples of why many organizations do not move forward with a strong cyber security program. The end result could be devastating losses to the user, organization, customers and the community. 1. Myth: Most hackers are kids in their teens just trying to give you a hard time. False: Cybercrime is big business. The first generation of cybercriminals was certainly teenagers seeking notoriety. From there, the cybercriminal evolved to a profit-motive using organized gangs with increasing sophistication, and a full-fledged industry where malware is bought, sold and supported. 2. Myth: The biggest security threat for my company comes from hackers. False: Published studies have shown that 50% to 80% of incidents resulting in significant financial loss have come from insiders (mostly employees), who can do more harm because they know where the sensitive data is located, system weaknesses and how to get the data. 3. Myth: Most hackers only attack big companies because that is where the money is. False: Historically this has been true, but the trend has changed and attackers are now looking for smaller easy targets where the discipline of information security is not well practiced. 4. Myth: Security solutions are expensive and cumbersome. False: The biggest risk to your information and a company’s intellectual property is social engineering. Social engineering is a method to gain information from individuals, usually by deception and when the user unknowingly releases valuable information. Providing your employees with awareness training in social engineering tactics and safe use of social media is a low cost measure with a high value of return. 5. Myth: We hire a hacker once a year to perform a penetration test so we know our network is secure and our data is safe. False: Penetration tests are a snapshot in time of the security of your network, devices and PCs. Every day, new viruses and vulnerabilities are introduced paving the way for opportunistic hackers. Ongoing processes and procedures aligned with information security, best practices and awareness training are the best ways to protect your data. 6. Myth: Anti-virus software and firewalls are all I need to protect my network. False: Current anti-virus software and properly deployed firewalls are important tools that protect your network and your information; however, they cannot guarantee that you will be protected from all attacks. Since a new form of malware is released into the internet every 13 seconds, antivirus software cannot keep up. At best, antivirus software is thought to only catch 30% of the viruses and malware that is out there. Layered security, careful behavior by all users and keeping these technologies updated is the best way to reduce your risk. 7. Myth: If a hacker penetrates my network we will detect it and can prevent any damage. False: Studies have shown that hackers infiltrate and remain in networks for as long as 3-4 months without detection before they are discovered. In some cases, it may be a third party, such as a customer, who reports the compromise. SO WHO IS THE BIG BAD WOLF? A Brief Look at Cyber Data Security Threats Threats and vulnerabilities to the safety of your information are growing quickly and new malware, hacks and viruses are popping every minute. Typically, Big Bad Wolfs are usually those who seek personal gain from your information. The following are some of the more common threats to consider. • Employee Actions: Employees, whether intentionally or unintentionally, can open your network to those whose intent is to do harm. • Malware and Viruses: Emails or websites containing malware intended to disrupt computer systems can be opened inadvertently, due to a lack of awareness of the potential associated threats. • Spyware: This is typically malware loaded on your system by clicking on a link, and is used to gain information as your system is used. • Hackers: Those who obtain financial and other information to sell on line, and/or for other personal gain. Hackers may target specific companies, but mostly, systems are randomly searched for easy entry points. • Hacktivist: This hacking has a different motive. Hacktivists target organizations that they disagree with and want to stop the target’s ability to continue work, or to cause the organization embarrassment. Politically or financially motivated, they are normally in opposition of the organizations missions and goals. • Web-Page Take Over: This hacking is when someone else takes over control of your website, it may be done as an act of cyber-espionage. • Cyber terrorists are typically groups whose goal is to disable the American economy by interrupting business. These attacks are often targeted at large national organizations regardless of the provided services. • Disgruntled Employees or Ex-Employees. The potential for those who would attempt to steal, and defraud by accessing your information is a reason to remove their system access at the time of termination or limit access to information not required. • Employees, who are involved with high risk activities often visit websites catering to such activities. These sites commonly promote insecure practices and therefore those visiting these sites are more apt to cause system problems. • Vendor and Outside Sales Representatives and Trainers. It is important to have information security policies in place and limit access of third parties and contractors who access or support your network. • Mobile Devices, Flashdrives and Social Media. These common mechanisms present potential risks and must be considered in your information security awareness training and practices. • Phishing Emails. Posing as legitimate emails from your bank or other vendors, phishing emails are in fact a false front for Identity Theft by asking for information such as passwords and/or account numbers. Awareness Campaigns Awareness Campaigns: The best awareness campaigns are simple; informational posters, flyers or emails heightening the awareness of information security practices of an organization. Employee Awareness, Training and Security Practices 1. New Employees: New employees should receive Information Systems Security Policies and training during orientation and should be required to sign indicating their understanding and intent to comply. 2. Exiting Employees: Interview all outgoing employees, regardless of their position, to ensure any unique passwords have been reported, and to insure that company data and property including devices are returned. IT should immediately disable network, system and remote access for all terminated employees, reset their passwords and develop a policy for the ongoing retention of that employee’s files and data and the authorization required for others to access it. 3. Employees Who Leave Without Notice: In addition to the above measures for exiting employees, for those who leave without notice, additional measures should be considered. Secure their computer, check for system viruses or evidence of breaches and monitor the network for any attempts they may make to access the network for several weeks following their departure. 4. Vendors and Sub- Contractors: Establish a policy which requires their compliance to your security rules and policies. Require a Non- Disclosure Agreement to protect privacy and information prior to granting access to your information systems. 5. Employee Use Of Company Equipment: Policy should identify how and when company information systems, to include cell phones are to be used and require safety practices. 6. Social Media Policy: Consider adopting a social media policy and ensure that employees are aware of the risks presented through their use of social media. 7. Reporting: Ensure employees know what, when and how to report suspicious activities. 8. Record Keeping: Ensure your IT personnel keep a log of any suspected hacks, or other questionable matters, for future investigations. 9. Polices on Changing and Sharing Passwords on Your Computers: Establishing how often passwords should be updated; number of characters used in a password, and how those requests are made of employees, will help keep everyone accountable. It is a good idea to keep an updated list of all important or key passwords in a sealed envelope in a locked safe accessible only by senior management in the event of an emergency. 10. Establish Standard Operations Polices: Ensure that employees know the organization’s standard operating procedures for items which may put your network at risk. Some items to consider are: • Phishing Emails • Opening Attachments • Identifying and handling questionable Emails • Use of Personal/Vendor Flashdrives 11. Personal Computer/Mobile Devices: Accessing company emails or data remotely on a laptop or mobile device places a significant risk to your organization. Ensure that you have a clear policy for employees in the event of a breached. If you allow the remote access, ensure that employees are aware of potential threats such as: • Smart phones have the potential to be hacked. • A warm cell phone while not in use may indicate a breach. • There are programs that can remotely turn on a mobile device’s microphones and cameras • Anti-Virus Software Updates: Personal laptops and mobile phones should have anti-virus software. Ensure employees know their responsibility to keep it up-to-date 12. Cloud Storage and Online Tools: Many employees enjoy online tools; however, it is important for them to realize, that many of those tools are in what is referred to as a cloud and the server is often housed in another state or country. Remind employees that the use of cloud related products should be approved prior to being used. 13. Reporting Procedures for Compromised Data or Possible Breaches: Ensure that every employee knows that a suspected compromised system should be identified immediately, who to report it to, and that a delay in notification can increase the damage. 14. Significant Breach’s that must be reported to Law Enforcement: Depending on your company’s work and the severity of the breach, local law enforcement may need to be contacted. Companies should know that in case such as child pornography, contacting law enforcement is required and the company can be in jeopardy if contact is not made. Be sure to secure the computer until law enforcement arrives, such computers should NOT be turned off as that will erase the cache memory; they should however be disconnected from the network to avoid further damage. 15. Disaster and Recovery Planning: Having a plan in place and completing emergency drills will keep you prepared in the event of an actual emergency and hopefully will minimize the downtime of your business. 16. How Often Should I Train and How Do I Get It to Everyone: The frequency of awareness training is based on your company’s information security risks. Training can be as simple as reminding of a single security practice or learning about a new threat. Department staff meetings are a great way to update multiple employees at one time. Based on position, employees can also attend local training seminar or vendors meetings are valuable resources for providing low or no-cost training. In all cases, training should be an ongoing activity regardless of the form. REFERENCES Cyber Security Program Resources Clark-Las Vegas Community Policy & Standards SANS Institute Security Policy Project www.sans.org/resources/policies/ National Security Agency (NSA) Security Configuration Guides http://www.nsa.gov/ia/mitigation_guidance/se curity_configuration_guides/ National Institute of Standards and Technology (NIST) Security Publications http://csrc.nist.gov/publications/ Information Sharing Multi-State Information Sharing and Analysis Center (MS-ISAC) http://www.msisac.org/ Department of Homeland Security (DHS) Communication and Interoperability Memorandums of Understanding Various Tools http://www.safecomprogram.gov/ Information Systems Security Association (ISSA) https://www.issa.org/ Defense Information Systems Agency (DISA) Security Technical Implementation Guides http://iase.disa.mil/stigs ISACA https://www.isaca.org/Pages/default.aspx Federal Great for Families United States Computer Emergency Readiness Team (US-CERT) http://www.us-cert.gov National Center for Missing and Exploited Children www.netsmartz.org DHS Critical Infrastructure / Key Resources http://www.dhs.gov/files/programs/gc_118916894 8944.shtm Common Criteria http://www.commoncriteriaportal.org/ Forum of Incident Response & Security Teams (FIRST) http://www.first.org Training The Center for Infrastructure Assurance and Security (CIAS) www.ciastraining.com The Texas Engineering Extension Service (TEEX) www.teexwmdcampus.com/ The Cyberterrorism Defense initiative (CDI) http://www.cyberterrorismcenter.org National Cyber Security Alliance http://www.staysafeonline.org/ Anti-Phishing Working Group http://www.stopthinkconnect.org/ On Guard Online www.onguardonline.gov Federal Trade Commission Identity Theft – Deter, Detect, Defend http://www.ftc.gov/bcp/edu/microsotes/idtheft Credit Monitoring www.freecreditreport.com www.annualcreditreport.com One free credit report per year from three credit reporting agencies