Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Mobile Device Security - Quiz - Institute Planning and Resource

advertisement 
Information Security
Training
Jason Belford
Jimmy Lummis
Presenters – Who are these guys?
• Jason Belford
– Principal Information Security Engineer
• Jimmy Lummis
– Information Security Policy and Compliance Manager
2
Georgia Tech Information Security
• Security Policy
• Regulatory Compliance
• Incident Response
• Operational IT Security
• Training and
Georgia Tech
Awareness
Information
Security
OIT
3
Computer & Network Usage and
Security Policy (CNUSP)
4
CNUSP - Highlights
• Applies to Faculty / Staff / Students / Guests /
Contractors
• Encompasses appropriate use of GT computers and
networks
• Defines expectation of privacy
5
CNUSP - Do
Do:
• Use IT resources in an ethical and legal manner
• Follow Intellectual Property laws
• Use a password-protected screensaver
• Report issues immediately
• Stop and ask if you have questions or concerns!
6
CNUSP – Don’t
Don’t:
• Circumvent security
• Install non-approved software
• Use Institute Resources for personal gain (Incidental Use)
• Allow others to use your computer
• Be afraid to ask questions!
7
CNUSP - Quiz
True or False: The CNUSP allows you to download MP3s
to your Georgia Tech computer.
True or False: I do not need approval to install or use
personal software on my Georgia Tech computer.
True of False: If my coworker asks for access to my
computer, I should just allow it.
8
CNUSP – Links
• Computer & Network Usage and Security Policy
– http://policylibrary.gatech.edu/computer-and-networkusage-and-security
9
Data Access Policy
10
Data Access Policy (DAP)
The Data Access Policy (DAP) provides a structured and
consistent process for employees to obtain necessary data
access for conducting Georgia Tech operations
• All employees of Georgia Tech are covered by the DAP
• All Georgia Tech data (electronic, paper or otherwise)
are covered by the DAP
• All Georgia Tech data is classified into one of four
categories
11
Data Access Policy - Data Classification
• Category I – Public Use
– Examples: Institute web site content, press releases,
employee work addresses
• Category II – Internal Use
– Examples: directory listings, internal intranet web
sites, gtID (alone)
• Category III – Sensitive
– Examples: Social Security Number, research data,
intellectual property of Georgia Tech
• Category IV – Highly Sensitive
– Examples: Credit Card Numbers
12
Data Access Policy – Do
Do:
• Request access to non-public data appropriately
• Assume all data, unless already classified, is category II
• Limit the use of data to only what is absolutely necessary
• Encrypt non-public data at rest and in-flight
• Be mindful of who you share non-public data with
• Reach out to Information Security and ask!
13
Data Access Policy – Don’t
Don’t:
• Attempt to access data you aren’t authorized to access
• Give data to unauthorized individuals
• Store data unless absolutely necessary
• Store data on unsecured systems
• Store data on mobile devices unless absolutely necessary
• Be shy, reach out to Information Security and ask!
14
Data Access Policy - Quiz
True or False: The Data Access Policy states that all data
and information should be freely available and made public.
Question: What classification category is credit card data?
True of False: When I’m not sure what to do with sensitive
data, I should crawl under my desk and hide.
15
Data Access Policy – Links
• Data Access Policy
– http://policylibrary.gatech.edu/data-access
16
Current Threats
17
Hacking
• To circumvent security and break into another's server,
Web site, or the like with malicious intent
• Motivation
1
–
–
–
–
–
Curiosity
Monetary
Political
Publicity
Strategic (State sponsored)
1. http://dictionary.reference.com/browse/hacking
18
Hacktivisim
• Hack + Activist = Hacktivist
• Political motivation
• Most often carried out anonymously
19
Hacks (2011)
http://redmondmag.com/articles/2011/06/27/
timeline-of-anonymous-lulzsec-hacks.aspx
20
Hacks (2012)
http://redmondmag.com/articles/2011/06/27/
timeline-of-anonymous-lulzsec-hacks.aspx
21
Malware
• Malicious Software
• Purpose
– disrupt computer operation
– gather sensitive information
– gain unauthorized access to computer systems
• Biggest issue on Georgia Tech campus each year
http://en.wikipedia.org/wiki/Malware
22
Social Engineering
Art of manipulating people into performing actions or
divulging confidential information.
• Types
–
–
–
–
23
Baiting
Phishing
Tailgating
Vishing
Phishing
From: GaTech Email Admin [mailto:noreplies@gatech.edu]
Sent: Friday, September 09, 2011 3:35 AM
To: George
Burdell <george.burdell@gatech.edu>
Subject: Upgrade Your Email
You are currently viewing Gatech in basic HTML. Why?
Follow the link below for faster, better webmail.
Click HERE.
24
Phishing
From: GaTech Email Admin <noreplies@gatech.edu>
Sent:
Friday, September 09, 2011 3:35 AM
To: George Burdell
<george.burdell@gatech.edu>
Subject: Upgrade Your Email
You are currently viewing Gatech in basic HTML. Why?
Follow the link below for faster, better webmail.
Click HERE.
http://gatechupgrade.dfjsdh422tgs.cn
25
URL Disection
http://www.gatech.edu/login/index.html
http://www.gatech.edu/login/index.html
http://www.gatech.edu/login/index.html
http://www.gatech.edu/login/index.html
26
Phishing
From: GaTech Email Admin noreplies@gatech.edu
Sent: Friday, September 09, 2011 3:35 AM
To: George
Burdell <george.burdell@gatech.edu>
Subject: Upgrade Your Email
You are currently viewing Gatech in basic HTML. Why?
Follow the link below for faster, better webmail.
Click HERE.
http://gatechupgrade.dfjsdh422tgs.cn
27
Phishing Quiz
28
Gone Phishing?
https://login.gatech.edu
Is this site legitimate?
29
YES!
Gone Phishing?
https://highereducation.gt.edu.hied.com/login
Is this site legitimate?
30
NO!
Gone Phishing?
http://login.gt.gatech.edu
Is this site legitimate?
31
NO!
Gone Phishing?
https://loginpage.dept.gatech.edu
Username:_____________________
Password:_____________________
[SUBMIT]
Is this site legitimate?
32
MAYBE…. When in doubt.. ASK!
Mobile Device Security
33
Mobile Device Security – What’s a Mobile
Device?
Mobile computing devices at Georgia Tech include, but are
not limited to:
• Cellular telephones
• Smart phones (e.g. iPhones, Android Phones,
BlackBerry)
• Tablet computers (e.g. iPad, Kindle, Kindle Fire, Android
Tablets)
• Personal Digital Assistants (e.g. Palm Pilot)
• Any other mobile device containing Georgia Tech data
(e.g laptops, USB drives)
34
Mobile Device Security - Threats
•
•
•
•
35
Lost or stolen devices
Mobile malware
Privacy threats
Wi-Fi / Bluetooth sniffing
Mobile Device Security – Securing the Device
•
•
•
•
•
•
36
Passwords/Encryption
Don’t store sensitive data
Antivirus
Device locators
Remote wipe
Don’t jailbreak!
Mobile Device Security – Device Awareness
• Keep your mobile devices with you at all times
• If not with you, store in a secured location
• Do NOT leave devices unattended in public locations
– Airports
– Conference rooms
– Restaurants
37
Mobile Device Security - Quiz
True or False: Malware is only an issue for my home
computer.
True of False: I should always store sensitive data on my
mobile device!
True of False: It’s okay to ask a stranger to hold your
mobile device while you tie your shoe.
38
Mobile Device Security – Links
• Stay Tuned
– Currently working to update Data Access Policy and Data
Protection Safeguards to include controls for mobile
devices
39
Passwords
40
Policy – Changing Soon…
Passwords must…
• Be 11 to 23 characters
• Be changed every 120 days
• Contain at least 3 character classes
• Lowercase Alphabetic (abcdefg…)
• Uppercase Alphabetic (ABCDEFG…)
• Numbers (0123456789)
• Special Characters (!@#$%&*)
Password cannot…
• Contain your username
• Be one of your most recent 3 passwords
http://policylibrary.gatech.edu/passwords
41
Picking a Strong Password – Bad Habits
•
•
•
•
Don’t share your password with anyone… EVER!
Don’t use the same password for multiple accounts
Don’t write down your passwords
Don’t select a password and then keep changing the
number on the end
• DON’T USE ANY PASSWORD SEEN IN THIS
PRESENTATION!
42
Picking a Strong Password (Method 1)
Start with a phrase that means something to you
I’m a Rambling Wreck from Georgia Tech!!!
Keep the first letter from each word and the punctuation
I’
a R
W
f
G
T
!!!
Add some numbers or replace letters with numbers
1’
a R
W
f
6
1’aRWf6T!!!
43
T !!!
Picking a Strong Password (Method 2)
Start with a phrase that means something to you
And a Heck of an Engineer
Replace spaces and letters with special characters
&a-Heck-of-an-Engineer
&a-Heck-of-an-Engineer
44
Picking a Strong Password (Method 3)
Start with a phrase that means something to you
Like all the jolly good fellows
Pad the beginning and the end with special characters
and numbers
1885jollygoodfellows…
1885jollygoodfellows…
45
Picking a Strong Password
How do our new password compare?
Buzz1234567
1’aRWf6T!!!!!
&a-Heck-ofan-Engineer
1885jollygoodf
ellows…
Number of
Characters
11
11
23
23
Character
Classes
3
4
3
3
Weak
Strong
Very Strong
Very Strong
10 hours
19 years
9 billion trillion
centuries
6 billion trillion
centuries
How Secure?
Time to Crack?
Source: https://www.grc.com/haystack.htm
46
Picking a Strong Password
Good
Mascot
Bad
Password
47
Quiz
1. (T/F) When my supervisor asks for my password, I
am required to give it to them.
2. (T/F) Since the passwords here are supposed to be
more complex, it is ok to write it down.
3. (T/F) I should just think of just one password and
keep putting a different number on the end each
password change.
48
Physical Security
49
Physical Security - Threats
•
•
•
•
50
Theft
Vandalism
Sabotage
Espionage
Physical Security – Common Exploitation
Methods
•
•
•
•
•
51
Hardware key-loggers
Posing as a trusted authority or service person
Social engineer staff to gain access to facilities
Connect a rogue device to wired/wireless network
Tailgating to gain access to data center
Physical Security – Combating the Threat
• Be aware of your surroundings
• Report anything that appears out of the ordinary
• Inspect USB and other ports for unknown
devices
• When in doubt ask for ID
• Don’t let your devices out of your
sight
• Keep sensitive items behind locked
doors/drawers
• Don’t leave sensitive items in your car
52
Physical Security - Quiz
True or False: It’s okay to hold the door for someone on
your way into a secured facility.
Question: ________ are devices that can be attached to a
computer which capture everything entered on a keyboard.
True of False: It’s okay to talk about confidential research
data on the phone with someone you’ve never talked to
before.
53
What to do if you suspect you’ve been hacked!
• Contact your CSR and report the issue
• Run virus scan
– If you are unable to do so:
• Save your work
• Shut down your computer
• Change your GT account password
– May be a good idea to change all other passwords
54
Questions
55
Contact Information
Jason Belford
Jimmy Lummis
jason.belford@oit.gatech.edu jimmy.lummis@oit.gatech.edu
404-894-6159
404-385-0334
support@oit.gatech.edu
56
Related documents
Curriculum Vitae - Georgia Institute of Technology
Curriculum Vitae - Georgia Institute of Technology
Sample Cover Letter - San Juan Unified School District
Sample Cover Letter - San Juan Unified School District
BMED 3110 Quantitative Engineering Physiology Laboratory I
BMED 3110 Quantitative Engineering Physiology Laboratory I
High Level Overview of High School Course
High Level Overview of High School Course
How to start Whitepins - AMAS-Team
How to start Whitepins - AMAS-Team
Slide 1
Slide 1
TPR O-chem Chapter 2
TPR O-chem Chapter 2
Download
advertisement