End User Cyber Security Awareness Training

advertisement
Stop!!
THINK
Click
Who must complete this training

All Users: This training is required for all individuals,
including contractors and vendors, with security access to
sensitive or confidential systems owned by the Department
for Aging and Rehabilitative Services (DARS).
 New Users: Each individual must complete this training when
security access is granted.
 Annually: Refresher security training is required annually.

Certification: Supervisors must certify and report
completion of training to their DARS system
administrator or contacts.
 FRS-Support/LTESS-EES: Donna Bonessi
 Div for the Aging: Leonard Eshmont
Stop!
THINK
Click
Accessibility

This program is designed to meet standards for
accessibility for individuals with disabilities.

This presentation is adapted for use in a small class or
staff meeting that allows individuals to participate by
listening to the narrator or reading the content directly
from each slide.
 This program is also formatted for use with screen readers.
 The program should be narrated directly from the slide presentation.
For individuals that are deaf or hard of hearing, closed captioning is
not required and interpreters are not needed unless external
discussion is included.
Stop!
THINK
Click
Learning Objectives
In this program you will review:

Policy: Review and understand current security
policies that govern your use of COV and DARS
systems and data.

Threats: Identify common threats to COV systems,
confidential data and sensitive information.

Your Role: Understand what you can do to improve
security, and how to report incidents and suspicious
activities.
Stop!
THINK
Click
Section One:
Overview of
Cyber Security Policies
This section reviews current scope of policies for the
Commonwealth of Virginia (COV) as they relate to
devices and files, logons and passwords, security
updates, physical security, and protected data.
Stop!
THINK
Click
Section One-Policies: Scope

of Policies
All COV agencies, contractors and vendors
with access to sensitive or confidential systems are required to
adhere to policies governing personally identifying data,
protected health information, and sensitive data, including
policies published by the Virginia Information Technology
Agency (VITA).

All Users with access to COV networks and DARS systems
must follow these policies.

The Information Security Access Agreement (ISAA)
is required to be signed by all individuals requesting access to
COV and DARS systems.
Stop!
THINK
Click
Section One-Policies: Logons/Passwords

COV requires enforcement or the following standards
 Use of “strong passwords” which include upper case alpha,
lower case alpha, numeric (0-9) and non-alphabetic characters
(~ ! # $ % ^ & *) in positions 2-6.
 Passwords must be changed every 90 days.
 Passwords cannot be changed in less than 7 days.
 and cannot have been used within last 4 changes.
 Five unsuccessful attempts will lock your account.

These are secure standards you should also apply to
all of your accounts, including personal accounts.
Stop!
THINK
Click
Section One-Policies: Logons/Passwords

(continued)
Your Role: The policy also states that end users are
responsible for enforcement of certain standards:
 Your system or browser may not be configured to remember
passwords.
 Passwords will not be written down and posted in plain sight.

You may NEVER share your passwords with anyone
else for any reason.
Stop!
THINK
Click
Section One-Policies: Security

Updates
VITA enforces the following standards for security
updates and patches:
 Operating systems will be protected by applying automatic
security updates and patches.
 Applications are configured for automatic security updates and
patches (For example, for Microsoft Office, Outlook, Internet
Explorer, Adobe Reader).
 Security Software such as McAfee and Norton Antivirus will be
kept up to date and configured for regular scans.
 Security software should be set to scan Internet pages, email,
attachments, and downloads.

Your role: You should not change automatic settings or
over-ride security updates.
Stop!
THINK
Click
Section One-Policies: Devices
and Files

Devices, including external digital storage devices, must be
owned or approved by your organization to be connected to
sensitive DARS systems.

PC’s will be
 manually locked when unattended,
 automatically locked after a period of inactivity, for example,
fifteen minutes,
 set to require a password to re-activate,
 logged off overnight.

Files must be stored and backed up on your server and
must be encrypted when shared over network connections.
Stop!
THINK
Click
Section One-Policies: Physical

Security
Physical security policy requires protection of your
work space, physical devices and files. You must:
 Lock or shut down your workstation when you leave your desk
or leave your laptop/mobile device unattended.
 Lock sensitive paper documents and materials in a file cabinet.
 Dispose of sensitive materials appropriately.
 Never share your building access key, card or fob.
 Always question unescorted strangers.

You must always report incidents and suspicious
activities to your manager and security officer.
Stop!
THINK
Click
Section One-Policies: Protected
Data
Certain types of data are protected and regulated by the:

Social Security Administration (SSA)
 Controls the use of social security numbers (SSN’s)

U.S Department of Health and Human Services (HHS)
 Administers the Health Insurance Portability and Accountability Act
(HIPAA)

Virginia Information Technology Agency (VITA)
 Responsible for the information security standards commonly referred
to as “Sec 501”

Library of Virginia (LVA)
 Governs all records, including electronic files, under the authority of
the “Virginia Public Records Act”)
Stop!
THINK
Click
Section One-Policies: Protected
Data (continued)
Types of protected data can include:

Protected Health Information (PHI)
 Such as data contained in medical and health records and is
governed by HIPAA.

Personally Identifiable Information (PII)
 Includes use of Social Security Numbers (SSN) governed by the SSA,
and can include the SSN in combination with other identifying
information such as name, date of birth, employment, insurance,
residence and telephone numbers.
 If lost, compromised, or disclosed without authorization, this
information could result in substantial harm, embarrassment,
inconvenience, or unfairness to an individual.

Sensitive data
 Defined as data, documents, or files which, if compromised, would
have an adverse effect on the COV, your agency or organization, and
is governed by VITA (Sec 501) and the Library of Virginia (Records
Act).
Stop!
THINK
Click
Section One-Policies: Protected
Data (continued)
Required Protections by Users: All PHI, PII and sensitive
data must be protected by:

Storing data and files in a secure physical environment,

Storing files only on devices owned and approved by your
organization,

Encrypting mobile and external storage devices that
contain these files, including laptops, external hard drives,
USB “thumb” drives and CD’s.

Encrypting files that are “in transit” which includes files sent
via email and non-secure direct file transfer
Stop!
THINK
Click
Section One-Policies: Summary
Your role: Always be aware that COV/DARS systems are
governed by security policies and regulations, and follow safe
practices that are in your control.

Do not share your access with anyone, including your
passwords, keys, badges, and access codes.

Keep your PC desktop locked when you are not using it,
and lock your mobile devices in a secure location.

Protect your files and do not send them via email or share
them electronically without encryption.

Be aware of your work area and physical surroundings
and report suspicious activity.
Stop!
THINK
Click
Section Two:
Common Cyber Security Threats
This section reviews common cyber security threats
with suggestions on what you can do to protect
yourself and COV/DARS systems from harm.
Stop!
THINK
Click
Section Two-Threats: Two
Basic Concepts
Concept One: Electronic systems may not be secure.


VITA and DARS, and your organization attempt to provide
protections with firewalls, electronic enforcement and monitoring
systems.

But that does not completely protect you from interacting with
malicious and harmful software. You can still be targeted directly
and persistently by email messages, texts, and malicious Internet
links.
Concept Two: You control what you click.


Even with all the security COV/DARS and your organization can
apply, most end user threats are targeted specifically in hopes that
you will go ahead and click on a harmful link, attachment, picture,
video or icon in an email or web page, including social media
applications.
Stop!
THINK
Click
Section Two-Threats: The

Key to Your Role
Stop!: Pause before you click
 Your work relies on email and Internet interactions. Take a
moment and remember that each click could be potentially
harmful. Even if it at first appears to be from a legitimate
source.

Think!: Verify and Validate
 You must be aware, be alert and diligent. Always look for the
signs that external entities are trying to gain access to your PC
and your network.

Click: Proceed only if you are confident it is safe
Stop!
THINK
Click
Section Two-Threats: Email

Threats
Phishing, Spoofs, Hoaxes, Malware, Scams and Spam
 The most prevalent and persistent threats to your security arrive
in your Inbox.
 They come by different names and may even appear legitimate
and even supposedly from people you may know.

The Common Threat:
 Malicious emails appeal to your greed, your fear, your sense of
humor, your curiosity, and even your compassion.
 They are designed to get you to click on an item such as an
attachment, link, picture, or video.

Result:
 If you click, you may launch a harmful program or be directed to a
harmful web site. You may then find your personal information
compromised, and you may subject your organization’s network to
malicious software and possibly direct infiltration.
Stop!
THINK
Click
Section Two-Threats: Email

(continued)
Stop!: Pause before you click.
 Do not assume that links in your email are automatically safe,
Especially if the link is requesting you to provide personal
information.

Think: Look at emails carefully
 If you cannot identify the source and attachments as legitimate,
or you cannot be sure the links are safe by looking at the
actual destination web address, you can logically conclude that
you should be cautious.

Click:
 Only after you are confident that the action is legitimate and
safe.
Protect all of your email accounts.
Report all incidents and suspicious activity to security.
Stop!
THINK
Click
Section Two-Threats: Internet

Threats
Browsing Can Hazardous To Your PC
 The Internet is a significant resource for business and
government services.
 However, some of the same issues that attack email can
create security issues that you need to be aware of while
browsing directly on the Internet.

The Common Threat:
 On the web, the threats mainly come from malicious links.
Most of the threats come when you click on a link, icon,
picture, video, etc., that launches malicious programs or redirect you to dangerous sites.

Result:
 If you click, you may then find your personal, client, and
sensitive business information compromised. You may also
subject your network, PC and other devices to malicious
software.
Stop!
THINK
Click
Section Two-Threats: Internet

(continued)
Stop: Pause before you click
 Do not automatically click on Internet links until you have
confidence in them. This includes pictures, videos, and
navigational elements.

Think: Look at the actual address for the links
 Look at the actual address for the links in question. For
instance if the link indicates “Click Here” be sure to identify the
actual destination web address before you proceed.
 Look for external web addresses that are secure. The address
should begin with “https://” instead of “http://”

Click:
 Only after you are sure the destination web site is safe.
Browse Safely
Report all suspicious links and web sites to security.
Stop!
THINK
Click
Section Two-Threats: Social

Media
Social Media can be un-sociable
 While usually relatively safe (for instance, DARS Face Book and
Twitter pages) the rapid increase in social networking and
collaborative sites like Face Book, LinkedIn, You Tube, and Twitter
have offered new opportunities for hackers and thieves.

The Common Threat:
 It is PERSONAL! By nature these sites are personal. You may be
sharing highly personal information, including information about
yourself, employer and perhaps even about clients. You are
communicating with others in a highly interactive, very public, and
non-secure environment.

Result:
 You could find highly personal and sensitive information
compromised. When visiting and using these sites always use the
highest level security settings and be careful of the personal
information and even images that you post.
Stop!
THINK
Click
Section Two-Threats: Social

Media (continued)
Stop: before you, “like,” “share” or “post”
 Assume that everything you post can possibly be re-posted and used
without your permission

Think: Is it secure and appropriate?
 Use the highest security and privacy settings for your personal social
media accounts
 Be careful of sharing work related information and in particular do not
share any information about clients or violate the mandate against
dual relationships
 Be aware that malicious links, videos, and other harmful items can be
posted on social networking sites
 Check to see if links posted by others are designed to take you to
alternate sites that appear suspicious

Click:
 Only after you are sure the action is legitimate and appropriate and
that you are not compromising your personal information or others
Be social, but also be careful, and appropriate
Report all suspicious postings and information breaches to security
Stop!
THINK
Click
Section Two-Threats: Files

Files Require Protection and Encryption
 The DARS business process requires sharing of information that is
confidential, personally identifiable and sensitive.
 This information must be secured and maintained according to federal
standards, COV security standards and Library of Virginia
requirements.
 Information that is being digitally shared is termed “In Transit” and
must be encrypted. This includes files that are being sent via email. If
digital encryption is not available the policy allows for files to be faxed.

The Common Threat: Data Leak and Data Breach
 Unprotected files may be leaked and data may be stolen.

Result: Potential financial and legal penalties
 Data leaks and breaches may result in identity theft, financial loss,
and other malicious uses. Incidents come with legal and financial
implications to the COV and DARS, and to individuals.
Stop!
THINK
Click
Section Two-Threats: Files

(continued)
Stop: Before you save or share a file
 Assume there is a potential for a data leak or data breach.
 Understand that sending unprotected files via email is not secure.
 Be cautious that transferring files on the Internet may also not be
secure, depending on how the site is configured. For instance, https
versus http.

Think: Is it Secure?
 When you are saving a file, are you storing it on a secure server , an
encrypted PC or external device that is owned and approved by your
organization?
 Assume that sharing any file is potentially a data leak.
 If sharing a file using email, are you able to use encryption?

Click:
 Only if you are saving the file to a secure location
 Only if you are sharing a file using encryption. If not, use fax
Share Files Securely. Report immediately
all suspected data breaches and data losses
Stop!
THINK
Click
Section Two-Threats: Telework/Internet

Connections
For mobile workers: be careful with your connections
 The ability to work away from the office is beneficial and flexible. But
mobile workers need take special note of the inherent risks when
connected to public access points including wireless connections.
Special care should taken when working with these connectopms.

The Common Threat: It is Public!
 Public access points, or Internet connections, are just that: Public. All
your activity is potentially exposed. Especially if it is wireless.

Result: Compromised systems and data breaches
 Individuals with the knowledge and ability can take over an
unprotected PC and load malicious software or steal information
including passwords.
Stop!
THINK
Click
Section Two-Threats: Telework/Internet Connections (continued)

Be sure to connect securely to public access points
 Virtual Private Network (VPN):
○ VPN allows you to launch a secure Internet connection so that
even with a public access point, you are able to work connected
securely to DARS systems, connect to your own organization’s
applications and file shares with a greater level of confidence.
 Device Encryption:
○ Always make sure your Laptop, Tablet Smart Phone or other
mobile device is password-protected.
○ Device encryption and anti-virus software should be installed on all
mobile devices that connect to COV systems.
Stop!
THINK
Click
Section Two-Threats : Telework/Internet Connections (continued)

Stop: Check your connection
 Assume all public Internet connections are not secure, including all
wireless access points.

Think: Is it Secure?
 When you are prompted to connect to a public access point, be sure
you know what you are connecting to.
 It is not secure unless you connect to a public access point using
VPN.

Click:
 Only if you are confident in the connection and you are using VPN.
Telework Safely!
Always use VPN when you are mobile
Stop!
THINK
Click
Section Two-Threats : Reporting

Incidents
Report incidents and suspicious activities including
potential data leaks and data breaches to:
 Your Manager
 Your Organization’s Security Officer
 Your DARS System Administrator or Security
Contact
○ For ESO’s (LTESS/EES):
- Donna Bonessi or Ella Barnes
○ For AAA’s (NWD):
- Leonard Eshmont
Stop!
THINK
Click
DARS Cyber Security Pledge
I, _____________________________________________ Date: _________________ PLEDGE to:










Stop, and Think (consider appropriateness and risk) before I Click on links,
attachments and other objects that connect to the Internet or launch
programs.
Take personal responsibility for security, follow my organization’s security
policies, and adhere to sound security practices.
Lock my computer whenever I leave my work area.
Safeguard portable computing equipment when I am in public places.
Create and use strong passwords, and never share my password(s) with
anyone.
Never leave a written password (sticky note, etc.) near my computer, or
easily accessible.
Promptly report all security incidents or concerns to my organization’s
security officer or other appropriate contact.
Safeguard Protected Health Information (PHI), Personally Identifiable
Information (PII) and sensitive data from any inappropriate disclosure.
Work to the best of my ability to keep my organization’s staff, property and
information safe and secure.
Spread the message to my friends, co-workers and community about
staying safe online
Stop!
THINK
Click
Remember:
Security is a shared responsibility.
Take the time and care every day
to protect yourself,
your organization,
your clients,
and your family,
through your own cyber-safe practices.
Stop!
THINK
Click
Additional Resources

VITA
 http://www.vita.virginia.gov/security/toolkit/

OnGuardOnline.Gov: Securing your computer:
 http://www.onguardonline.gov/topics/secure-your-
computer

NIST: 7 Practices for Safer Computing
 http://csrc.nist.gov/groups/SMA/fasp/documents/security_
ate/stopthinkclick.pdf
Stop!
THINK
Click
Download