Information Security Awareness, Safety, and Protecting Information Jay James R. Arroyo, CEH, CCNSP Network and Security Administrator Information and Communication Technology Division Security Awareness Security awareness is the knowledge of potential threats and the ability to anticipate what types of security issues and incidents. Officers, staff, and job orders may face in their day-to-day functions. Technology alone cannot provide adequate information security. Awareness and personal responsibility are critical to the success of any information security program. Why Security? Liability Privacy Concerns Copyright Violations Identity Theft Resource Violations Reputation Protection Meet Expectations Laws & Regulations Information Security Involves three elements Confidentiality: Ensuring information is disclosed to, and reviewed exclusively by intended recipients / authorized individuals. Threats include Phishing, Malware and unpatched systems (both operating systems and applications). Information Security Involves three elements Integrity: Ensuring the accuracy and completeness of information and processing methods. Business process improvement and verification processes. Information Security Involves three elements Availability: Ensuring that information and associated assets are accessible, whenever necessary, by authorized individuals. Disaster Recovery / Business Continuity planning. Security in General Security: The quality or state of being secure Freedom from danger Freedom from fear, anxiety or care Freedom from uncertainty or doubt Security in General Safety: The condition of being safe Freedom from exposure to danger Exemption from hurt, injury or loss Knowledge of or skill in methods of avoiding or disease Why is information security important today? High degree of networking Sensitive information stored on computers Hacking is a sport for students and enthusiasts Cracking is business for criminals! Theft of credit card data or identity theft can lead to uncontrollable damage and nuisances of all kind privacy The Internet is a very special place… Distance is irrelevant Networked systems are prime targets The knowledge to act as a computer criminal can be acquired everyone If there are no log files there are no traces of any wrong-doing Any crime or event can remain undetected for months The Internet is a very special place… Cybercrime is hard to follow up on International police cooperation is not easy If Cybercrime is not a crime in a country, there are no crimes Any security measures can very easily lead to an abrogation of essential freedoms Understanding Threats What is valuable? What is vulnerable? What can we do to safeguard and mitigate threats? What can we do to prepare ourselves? Most believe they will win lottery before getting hit by malicious code Internet Users http://www.internetlivestats.com/internet-users/philippines/ Attack Trends • • • • • Increasing sophistication Decreasing costs Increasing attack frequency Difficulties in patching systems Increasing network connections, dependencies, and trust relationships Threats • A threat is any potential danger to information and systems • 3 levels of cyber threats • Unstructured • Structured • Highly structured Unstructured Threats • Individual/small group with little or no organization or funding • Easily detectable information gathering • Exploitations based upon documented flaws • Targets of opportunity • Gain control of machines • Motivated by bragging rights, thrills, access to resources Structured Threats • Well organized, planned and funded • Specific targets and extensive information gathering to choose avenue and means of attack • Goal-data stored on machines or machines themselves • Exploitation may rely on insider help of unknown flaw • Target drives attack • Organized crime/black hat hackers Highly Structured Threats • Extensive organization, funding and planning over an extended time, with goal of having an effect beyond the data or machine being attacked • Stealthy information gathering • Multiple attacks exploiting unknown flaws or insider help • Coordinated efforts from multiple groups • “Cyber warfare” Risk Handling Discussion • • • • • Risk reduction (countermeasures, HVA) Risk transference (insurance) Risk acceptance (may happen) Risk rejection (do nothing) Security assessments are an important part of risk management • Penetration testing • Identify all vulnerabilities and threats to information, systems and networks Contingency Planning Components • • • • How to handle disruption? Business continuity Disaster recovery Incident response Recovery Strategy • A recovery strategy provides direction to restore IT operations quickly and effectively • Backup methods • Alternate sites • Equipment replacement • Roles and responsibilities • Cost considerations Business Continuity Plan • A comprehensive written plan to maintain or resume business operations in the event of a disruption • Continue critical business operations • Jeopardize normal operations • Most critical operations • May require alternate sites (hot, warm, cold) • What do we need to KEEP going? Disaster Recovery Plan • A comprehensive written plan to return business operations to the pre-disruption state following a disruption • Restore IT functions (prep and restore) • Jeopardize the normal operations • Includes all operations • RETURN TO NORMAL BUSINESS OPERATIONS • WHAT DO WE NEED TO DO IN CASE OF A DISASTER? Plan Testing, Training and Exercising • Testing is a critical to ensure a viable contingency capability • Conduct plan exercises • TTXs are useful Policies and Procedures • • • • • • Establish security culture Establish best security practices Define goals and structure of security program Educate personnel Maintain compliance with any regulations Ex: email policy, Internet usage, physical security Physical Security Countermeasures • • • • • • • Property protection (door, locks, lightening) Structural hardening (construction) Physical access control (authorized users) Intrusion detection (guards, monitoring) Physical security procedures (escort visitors, logs) Contingency plans (generators, off site storage) Physical security awareness training (training for suspicious activities) Personal Security • Practices established to ensure the safety and security of personnel and other organizational assets • It’s ALL about people • People are the weakest link • Reduce vulnerability to personnel based threats Personal Security Threat Categories • Insider threats-most common, difficult to recognize • Includes sabotage and unauthorized disclosure of information • Social engineering-multiple techniques are used to gain information from authorized employees and using that info in conjunction with an attack • Not aware of the value of information Social Engineering Social engineering is the human side of breaking into a corporate network. Social engineering involves gaining sensitive information or unauthorized access privileges by building inappropriate trust relationships with insiders. Social engineers manipulate people into speaking/acting contrary to their normal manner. The goal of a social engineer is to fool someone into providing valuable information or access to that information. In most cases the attacker never comes face-to-face with the victim, but they get the information or the access they need to commit fraud nearly 100% of the time. Social Engineering Pretexting - is when a social engineer develops a storyline that he or she is able to portray to the target. It provides the justification for the questions being asked. Impersonation - posing as an employee. It is a technique used by social engineers to deceive people. Protect from Phishing and Email scams Who is the email from? Look at the "From:" field. Is the sender's name or email address familiar to you? Does it use a webmail account like Hotmail or Gmail when it claims to be from your bank? Is there a URL in the email? Where's the hyperlink going to? To see where the hyperlink is actually going, hover over it with your mouse (don’t click it). The true URL will be displayed on the bottom in the status bar. When in doubt, don’t click on it! As a best practice, never click on links in emails, texts, or social network sites. Instead, type the site address into the browser yourself (www.picpa.com.ph) to ensure that the browser goes to the expected site. Protect from Phishing and Email scams Is there a threat of immediate detrimental action if you don’t respond with personal information? A message demanding an immediate response deserves a good dose of skepticism. Does the email refer to a current news event? Major news events such as large-scale catastrophes or the death of celebrities are quickly followed by a wave of phishing messages touting the same news events in their subject lines or email body. Phishers are hoping that overeager users will let their guard down and click on their proffered URL links in their haste for more information. Protect from Phishing and Email scams Does the tone of the email from friends or colleagues sound right? Filter the messages based on what you know of the purported sender(s) and how they typically write. Protect from Phishing and Email scams What if I don’t have anything of value? People often assume they have nothing worth stealing. They think, "Why would somebody want something from me? I don't have any money or anything anyone would want." On the contrary, if a social engineer can assume your identity, he or she can convince your friends to do something. Or you can pay their bills. Or they can commit crimes in your name. No matter who you are, or who you represent, you have value to a criminal. The single most important key to avoiding phishing and email scams is to not give sensitive information to anyone unless you can verify that they are who they claim to be and that they have a legitimate need for access to the information. Dumpster Diving • Improperly discarded memos, organizational charts, or policy manuals could be used for footprinting (the art of gathering information or pre-hacking). Social engineers commonly research a predetermined target and determine the best opportunities for exploitation. Dumpsters provide a huge amount of information, including the information a hacker needs to impersonate an employee. How do you protect yourself and your company? Social engineering attacks may be inevitable in the world today for the simple reason that humans are easy targets; nevertheless, that does not mean that attacks are unpreventable. The single most important key to avoiding social engineering attacks is to not give sensitive information to anyone unless you can verify that they are who they claim to be and that they have a legitimate need for access to the information. Organizations and individuals can protect themselves through training and awareness as well as security-related policies and procedures. What is an organization’s best line of defense? Properly trained staff, not technology, is the best protection against social engineering attacks. Learn how to protect yourself and your organization against social engineering attacks by understanding social engineering tactics and knowing how to recognize scams. People are the weakest link and as a result, organizations must build a human firewall by training their people Safe Social Networking People are getting hurt today, because they're revealing too much information online, and because they trust that other people won't steal their identities. In today's world, this is just naïve. Users of social networking sites may not think much about the way posted information might enable identity theft, home burglary and social engineering attacks and may easily get into trouble. Neither do they consider how their behavior on social media sites might affect their employer. Information security awareness training can help to decrease the likelihood of serious problems whether at home or at work. Safe Social Networking Mobile apps - There's no guarantee that mobile apps are free of bugs or malware. Mobile malware is capable of obtaining any and all permissions on the infected device, sending SMS messages to premium phone numbers, stealing online banking credentials & downloading other malicious code without the user's knowledge. Safe Social Networking Social Networking Sites - Sometimes hackers go right to the source, injecting malicious code into a social networking site, including inside advertisements, shortened URLs, and via third-party apps. Safe Social Networking Users – It's imperative that users understand how to safely navigate the Internet. At the same time, individuals & employees need to behave responsibly, understanding that we all have lapses in judgment, make mistakes or behave emotionally. Nobody's perfect all of the time. Safe Social Networking Lack of a Social Media Policy – Organizations need to spell out the goals and parameters of their enterprise's social media initiatives or they're inviting problems. Employees need proper training, if only to clear up issues regarding official social media policies, and every social media initiative needs a coordinator, i.e. a social media manager. Safe Social Networking Undoubtedly, the use of social networking increases the risk of leaking sensitive information and Personally Identifiable Information (PII). There are other risks to organizations as well: Reputational risks Data breaches ID theft Copy-right and trademark infringements Defamation and libel Loss of intellectual property Violations of industry-specific regulatory requirements eDiscovery costs Safe Social Networking Best practices to all your social networking accounts and activities: • • • Choose a strong password: Make it longer than eight characters, include a variety of letters, numbers, and symbols, and change it regularly. Make sure you use different passwords for each of your online accounts. Never save passwords in your browser: Browsers often ask if you'd like to save your password for easy access (so you don't have to enter it on your next visit). Never ever save your passwords on your computer. Never post information in your profile (or elsewhere) that could be used to confirm your identity. This includes home address, birth date, phone number, etc. An individual's DOB and state of birth are enough to guess a SSN with great accuracy Safe Social Networking • • • • • • Turn off the bells & whistles. Disable options, then open them one by one. Set up login alerts. To help protect your account, request an email from the site should someone try to login from an IP address other than yours. Use your privacy settings to control who gets to see your posts and profile. Turn off applications such as games & quizzes (Get a free goat on Farmville!). If you choose to add applications, ensure you understand and control how much information you share with the application. Enable secure browsing, or HTTPS when using social media sites from unsecured public networks such as those in airports, cafes or hotels. This encrypts the information you send and receive. (Look in the site's security settings) Get tips and advice on how to avoid threats from the site's security/privacy page. Safe Social Networking Safely engage in social networking: • • • • • • • Use discernment when accepting friend invitations. Only accept invitations from people you know. Cybercriminals create bogus profiles to propagate malware. Show "limited friends" a cut down version of your profile. This can be useful if you have associates to whom you do not wish to give full friend status. Remove a connection to a friend that you are no longer comfortable with. Block individuals if they are harassing you or if you just don't want to be visible to them. Report abuse: The most efficient way to do this is right where it occurs – in the social media site's privacy settings. Be careful where you click. Make sure to evaluate the potential costs/benefits of pop-ups, applications, and invites. Don’t be an early adopter of a new app. Give the community time to discover the security weaknesses before you dive in. Safe Social Networking • • • • • • • Avoid suspicious-looking URLs. Make it a habit to mouse over links to identify the source and proceed with caution. Never click on unsolicited links containing celebrity gossip, natural disasters, political scandals etc. Scammers quickly build malicious websites designed to trick users into installing malware or sending donations to replicated websites. Never copy & paste a link into your address bar unless you know where the link goes. Doing so will bypass you browser's security controls. Never post your whereabouts or your vacation plans. You're only helping burglars to plan their break-in. Never give up your login credentials. Social engineers are equipped with enough information to trick you into believing the request is from a legitimate authority. Ask permission before posting someone’s picture or publishing a conversation that was meant to be private. Respect the law, including those laws governing defamation, discrimination, harassment and copyright. Online Privacy Every day we share information about ourselves with businesses. We do this when you take advantage of all kinds of services, including Internet searches, social networking, mobile and more. When we use these services, we’re sharing information about ourselves with friends, businesses, and affiliates. That information is often shared and sold between businesses and advertising networks. Online Privacy Here are a few tips to help you protect your personal information online: 1. Examine the seals and privacy policies that Internet companies post on their websites before using their product. As internet companies become more established, their policies may change, but their clients will be less likely to inform themselves of the change. 2. Before making a purchase from an online retailer, first ensure that the company or individual is legitimate and that you are not dealing with hackers posing as an online store. Do they ensure that the transaction is secure and encrypted? Does the site provide offline contact information, including a postal address? 3. Beware sites that offer some sort of reward or prize in exchange for your contact information or other personal details. Online Privacy 4. Refrain from giving out your full name, address, birth date, or any other personal information that could be used to impersonate you (identity theft) or gain access to your accounts. 5. Periodically review the privacy and security settings on your Internet accounts and adjust them to your personal comfort level. Do not rely on "recommended" settings or default settings; and ensure they haven’t been reset through an automatic update. 6. Periodically review and delete apps and games you no longer use that have access to your accounts and devices. 7. Log out of websites and browsers when you are done. Never leave your online accounts open. Online Privacy 8. The best offense is a good defense: Safety and security starts with protecting your computer. Install a security suite (antivirus, antispyware, and firewall) that is set to update automatically. Make sure that you are regularly applying updates for your operating system. Be sure that you are running the most up to date version of your Web browser. Keeping these critical components up to date ensures that you are protected from commonly exploited attacks. 9. Make sure that your password is long, complex and combines letters, numbers, and symbols (if allowed). Ideally, you should use a different password for every online account you have. 10. Know what action to take if you suspect unusual activity or a breach. Online Privacy Knowing how to navigate the Internet safely is essential to maintaining your privacy online. Remember that YOU decide what information about yourself to reveal, when, why, and to whom. Creating Awareness Educate staff • • Train staff Document processes and outline expectations Research potential candidates • Perform background & credit checks Track system changes • • Audit system access Audit system changes Create & communicate policies: • • • • Define document and system disposal processes Define backup procedures Define clean work area policies Define computer usage policies Technology Core Features Sleek, portable, quiet, compact, rugged, shippable form factor Intel-based hardware delivers professional-grade performance & reliability Onboard high-gain 802.11a/b/g/n/ac wireless supporting packet injection & monitor mode Onboard Bluetooth supporting device scanning & monitor mode Runs Pwnix, a custom Debian distro based on Kali Linux Over 100 OSS-based pentesting tools including Metasploit, SET, Kismet, Aircrack-NG, SSLstrip, Nmap, Hydra, W3af, Scapy, Ettercap, Bluetooth/VoIP/IPv6tools, and more Simple web-based administration and in-product updates with “Pwnie UI“ One-click Evil AP & Passive Recon services Persistent reverse-SSH access to your target network 6 unique covert channels for remote access through application-aware firewalls and IPS Supports HTTP proxies, SSH-VPN, & OpenVPN Out-of-band SSH access over 4G/GSM cell networks (with optional GSM adapter accessory) Wired NAC/802.1x/RADIUS bypass capability Unpingable and no listening ports in stealth mode Local console access via HDMI Pwn Plug Technology https://www.pwnieexpress.com/ THANK YOU! Jay James R. Arroyo, CEH, CCNSP Network and Security Administrator Mobile: 0916.221.88.77 Email: jjrarroyo@nbi.gov.ph