CYBER SECURITY TRAINING

CYBER SECURITY TRAINING

Virginia Marine Resources CommissionMIS Dept.

October 2012

Why?Why?

StatePer 100,000

Population1. Alaska 196

2. DC 137

3. New Jersey 131

4. Nevada 130

5. Colorado 123

6. Ohio 110

7. Maryland 109

8. Florida 107

9. Virginia 106

10. Washington 104

Top 10 State ComplainantRates per 100,000

FTC News

The Crime Complaint Center (IC3) reported the following statistics for 2011:

Commonwealth Information Security Incident Report 2011Commonwealth Information

Security Incident Report 2011

VITA 2011 Report

Why Worry About Statistics?Why Worry About Statistics?• Computer systems have an inherent

value to both the computer system owner and those malicious individuals who seek the data stored on the computer systems and the available processing power the computer systems possess.

• Malicious individuals may also be interested in taking over the computer system to store illegal materials or launch attacks that will be traced back to the compromised system instead of the malicious individual

Why Worry?Why Worry?

• Websites can be disabled and unavailable• Office/home computers can be damaged by a

virus• Hackers can break into our databases and steal

identity information, not just our customers, but yours as well!

• Malicious users could use our systems to attack other systems

Cyber Security

DID YOU KNOW?DID YOU KNOW?

• A Microsoft Windows computer system without the appropriate patches can be exploited in as little as five minutes.

• A modern desktop computer can send 200,000 spam emails an hour.

• Networks of exploited computers can be rented for targeted attacks via web stores controlled by Bot Owners.

BOTS

We Are Part of the Global SocietyWe Are Part of the Global Society

Age is irrelevant. Young teenagers in various countries haveused the internet to hack into the Pentagon sites

Age is irrelevant. Young teenagers in various countries haveused the internet to hack into the Pentagon sites

Criminals have created international gang activity using the Internet astheir medium with drugs, financial gain, human trafficking, etc.

Criminals have created international gang activity using the Internet astheir medium with drugs, financial gain, human trafficking, etc.

Terrorist groups are using the internet to conduct their operations, recruit,and coordinate on a larger scale

Terrorist groups are using the internet to conduct their operations, recruit,and coordinate on a larger scale

Nation-states are using the internet to conduct reconnaissance andespionage. Stealing intellectual property is not an uncommon practice.

Nation-states are using the internet to conduct reconnaissance andespionage. Stealing intellectual property is not an uncommon practice.

INSA

What to Look Out for?What to Look Out for?

WHAT IS SPAM?WHAT IS SPAM?

The simple definition of spam is it is unsolicited email

– Product offers

– Misdirection to allow installation of malware

– Misinformation (denial of access)

WHAT IS PHISHING?WHAT IS PHISHING?

According to Microsoft:

“Phishing is a type of deception designed to steal your valuable personal data, such as credit card numbers, Windows Live IDs, bank and other

account data and passwords, or other information.”

Microsoft

TYPES OF PHISHINGTYPES OF PHISHING

• Fake email account reset or mailbox over limit• IRS, FBI and Treasury scams• Credit Union and Banking scams• Major events (Elections, Holidays)• Social networking Web sites • Fake Websites • Websites that spoof your familiar sites using

slightly different Web addresses• Instant message program

EXAMPLE OF PHISHINGEXAMPLE OF PHISHINGFrom: Phillips, Sarah (DCR) Sent: Thursday, September 16, 2010 2:22 PMTo: it_helpdesk@virginia.govSubject: Your mailbox has exceeded its size limit Your mailbox has exceeded one or more size limits set by your

administrator. Your mailbox size is 102145 KB.Mailbox size limits: You will receive a warning when your mailbox reaches 90000 KB. You cannot send mail when your mailbox reaches 100000 KB.You cannot send or receive mail when your mailbox reaches 100000 KB. You may not be able to send or receive new mail until you reduce your mailbox size.To make more space available, Complete the Questionnaire Below:   

UPGRADE NOW  If you clicked on this link it would bring you to a web site asking you to log in with your email username. Once you do that you have provided the “phisher” with your username and password – we had one MRC user do this and within hours thousands of spam emails were being sent under his email address.

• A keylogger is a malware software program (it can even be hardware) designed to monitor and log all keystrokes.

• This is one of the biggest threats of some malware since it can allow all information going through a computer to be stolen; Keyloggers are often set up to look specifically for items like passwords, confidential information, pin numbers, credit card account numbers, ssn – these are the most sought items wanted by criminals for fraud and identity theft.

WHAT IS A KEYLOGGER?

VIRUSLIST

WHAT IS SOCIAL ENGINEERING?WHAT IS SOCIAL ENGINEERING?

According to Microsoft:

“The purpose of social engineering is usually to secretly install spyware or other malicious software or to trick you into handing over your passwords or other sensitive financial or personal information.”

TYPES OF SOCIAL ENGINEERING

TYPES OF SOCIAL ENGINEERING

• Phishing • Spear phishing• E-mail hoaxes • Telephone or in person fraud• Shoulder Surfing

NIGERIAN EMAIL SPAM

FAKE ALERTFAKE ALERTVMRC had numerous cases of Fake Alert Trojans in our agency. In each case, the PC had to be reimaged and data was lost.

Remember if you see a pop-up similar to one on the right, turn your computer off immediately and contact MIS personnel. Do not click on anything in an attempt to close this type of “fake alert” window – just a single click executes and installs the malware.

As always, any suspicious computer behavior should be reported immediately to any MIS personnel!

WHERE: WORK AND AT HOMEWHERE: WORK AND AT HOME

Don’t be a Statistic, Use Common Sense Online!

Don’t be a Statistic, Use Common Sense Online!

YOU ARE THE PRIMARY DEFENSE AGAINST CYBER ATTACKS:

SYMANTEC – 90% of malware requires human interaction

MANDIANT – 100% of successful APT (Advanced Persistent Threat) attacks

compromised the human

PROTECT YOUR PERSONAL INFORMATION

PROTECT YOUR PERSONAL INFORMATION

• Don’t give out your name, email or home address, phone, account numbers or SS number without finding out why it is needed and how it will be protected

• Monitor your email- don’t respond to unknown or unsolicited email

• When shopping online, take measures to reduce the risk- ensure lit lock or https: (secured) sites are used

• Read the company privacy policy

PROTECT AGENCY SENSITIVE DATA

PROTECT AGENCY SENSITIVE DATA

By statute, sensitive personal information means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the commonwealth, when the data elements are neitherencrypted nor redacted:

1) Social security number;2) Drivers license number or state identification card

number issued in lieu of a driver’s license number; or3) Financial account number, or credit card or debit

card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts;

What is Sensitive Data?What is Sensitive Data?

PROTECT AGENCY SENSITIVE DATA

PROTECT AGENCY SENSITIVE DATA

By statute, sensitive medical information means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted:

1) Any information regarding an individual's medical or mental health history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or

2) An individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.

What is Sensitive Data?What is Sensitive Data?

PROTECT AGENCY SENSITIVE DATA

PROTECT AGENCY SENSITIVE DATA

Remember:

** By statute, at MRC, confidential harvest information is also considered sensitive data

PROTECT AGENCY SENSITIVE DATA

PROTECT AGENCY SENSITIVE DATA

Your Role in Protecting Sensitive Your Role in Protecting Sensitive DataData

• Sensitive data must never be electronically transmitted by email, ftp, flash drive or any other means unless it has been encrypted

• All sensitive data must be stored on the assigned designated network location

• Never copy sensitive information to non-network locations (hard drive) unless properly authorized

• Sensitive data will only be used for legitimate business purposes• Report all unusual behavior and malware events as soon as possible• If authorized to store sensitive data on a computer, the agency

approved encryption program will be used to secure data • All users in the agency are required to sign the ““

Employee Sensitive Data Handling Acknowledgement”” form located on our website. This form serves as your authorization to store sensitive data electronically in a non-network location. If you do not remember completing this form or have any question if you are authorized to handle sensitive data please contact Erik at x72262.

ENCRYPTIONENCRYPTIONENCRYPTIONENCRYPTION

• Unless authorized otherwise, store sensitive data only on your designated network drive; if sensitive data is on the network it does not have to be encrypted, but use common sense and encrypt the file if a significant amount of sensitive data is included

• If you are required to carry sensitive data on a mobile device, that data is to be encrypted and you must obtain permission to do so by the agency ISO and Commissioner

• All encryption software will be installed by MIS personnel only• Never ever send unencrypted sensitive data in an email! Call in the

information to the designated person or obtain the proper software from the Commissioner to encrypt it in an email

PASSWORDPASSWORD PASSWORDPASSWORD

• Your password is the key to your computer, don’t make it readily accessible. Never place your password out in plain view. Keep it secured!

• Never share your password. Your IT person should never ask for your password!

USER IDs & PASSWORDSUSER IDs & PASSWORDSUSER IDs & PASSWORDSUSER IDs & PASSWORDS

• Change your passwords at a minimum of every 90 days• If your password is comprised or if you suspect a

malware infection, immediately change your passwords – always contact your Information Security Officers if this occurs

• Don’t reuse your previous passwords• Don’t use the same password for each of your accounts• When your computer prompts you to save or remember

your password, click on “No”“No”

STRONG PASSWORDSTRONG PASSWORDSTRONG PASSWORDSTRONG PASSWORD

• Use at least eight characters, including numerals and symbols

• Avoid common (dictionary) words

• Don’t use your personal information, login, or adjacent keys as passwords

• Use variety of passwords for your online accounts

PASSWORD TIPPASSWORD TIPPASSWORD TIPPASSWORD TIP

• Use memorable phrases, such as “I hate Mondays!”• Alter caps with lowercase, numbers, and use

symbols: Example: 1h@teM0ndays!• Using this format gives you the opportunity to use

the same password for long time. Simply change at least two characters and most policies will allow you to keep the same password.

LOGOFF OR LOCKUPLOGOFF OR LOCKUP

When leaving your desk, remember to logoff or CTRL-ALT-Delete to lock your workstation

alt

SECURITY SOFTWARESECURITY SOFTWARESECURITY SOFTWARESECURITY SOFTWARE• AT HOME, MAKE SURE THE FOLLOWING

PROGRAMS ARE UP-TO-DATE:– Anti-Virus Software– Firewalls– Anti-Spyware and Malware Software– Email Scanning– Windows Updates– Application Software

Windows XP Firewall

UPDATES AT WORKUPDATES AT WORK

• Note MRC COV PCs are auto updated by VITA, but you should still monitor your McAfee’s virus program to ensure it is working properly

• This can be accomplished by:

- Go to Start Menu>All Programs>McAfee>VirusScan Console

- Check to confirm that your McAfee “Auto Update” and “(Managed) Weekly Enterprise Scan” has ran in the last week; if not contact the MIS department for further guidance

UP-TO-DATEUP-TO-DATEUP-TO-DATEUP-TO-DATE

• At home, in order to protect yourself and your computer you need to ensure that you Operating System and Web Browser is up-to-date

• Security patches are frequently updated, so check regularly! Or better yet, set your windows and browser to auto-update.

Microsoft

BACKUP YOUR DATABACKUP YOUR DATABACKUP YOUR DATABACKUP YOUR DATA

• One of the biggest errors people make is not backing up their data!

• Depending upon your use:

For work we back up network drives every night (we do not backup local C: drive files, so use the network drives for almost all work)

For home you should strive to back up your original files like word documents, spreadsheets, and pictures at least weekly

Windows XP Backup

MOBILE DEVICESMOBILE DEVICESMOBILE DEVICESMOBILE DEVICES• Secure your laptop with a cable lock or store it in locked area or locked

drawer• Keep all devices with you during air and vehicle travel until it can be

locked up safely. Do not forget to retrieve it after passing through airport security.– Always keep your Blackberry and flash drives in a secure location.

Maintain physical control of these devices!• NEVER EVER store unencrypted sensitive data on these devices!• Limit exposure of your mobile phone number• Be choosy when selecting and installing apps• Set Bluetooth-enabled devices to non-discoverable• Avoid joining unknown Wi-Fi networks and using public Wi-Fi hotspots• Don’t use third-party device firmware to change access to your device

US-CERT

E-MAIL SECURITY TIPSE-MAIL SECURITY TIPSE-MAIL SECURITY TIPSE-MAIL SECURITY TIPS• DO NOT send unencrypted sensitive data in an email!

- Always contact MIS if you need to send confidential data by email

• Watch out for phishing emails

• Store critical emails in your personal folders

• COV email accounts must not be auto forwarded to any external accounts

• Never ever click on an untrusted link in an email, always type the link in the browser. HINT: Hover your mouse over an email link, without clicking, if the web address is different from what you would expect it may be phishing or malware website!

• Do not open attachments from unknown sources!

EXAMPLE OF VITA’s MAILBOX SIZE LIMIT EMAIL ALERT

EXAMPLE OF VITA’s MAILBOX SIZE LIMIT EMAIL ALERT

From: Microsoft Outlook

Sent: Thursday, September 20, 2012 2:00 AM

To:

Subject: Your mailbox is almost full.

Importance: High

 

Your mailbox is almost full.

Please reduce your mailbox size. Delete any items you don't need from your mailbox and empty your Deleted

Items folder.

163 MB 200MB

** Remember VITA will never send you a hyperlink in this email for you ** Remember VITA will never send you a hyperlink in this email for you to click on**to click on**

WIRELESS SECURITYWIRELESS SECURITYWIRELESS SECURITYWIRELESS SECURITY

• If you are issued a VPN FOB, never attach your pin to the device and always secure your device

• Always secure air cards like you would any mobile device

• Be alert when using a public wireless network, never transfer or access sensitive data while attached to one!

Hint: Try to avoid the use of public wireless network whenever possible

WIRELESS NETWORKSWIRELESS NETWORKSWIRELESS NETWORKSWIRELESS NETWORKS

Ensure your wireless network is setup as a secure wireless network:

http://www.microsoft.com/windowsxp/using/networking/setup/wireless.mspx

REMOTE ACCESSREMOTE ACCESSREMOTE ACCESSREMOTE ACCESS

• Only authorized personnel are allowed to access their network drives remotely

• Don’t use public WIFIs to access the VMRC network server

• Secure all VPN fobs as if it is a laptop computer and never attach your pin to the device

• Remember to never access sensitive data in a public location

WHEN TO CONTACT MIS AND OTHER AGENCIES

WHEN TO CONTACT MIS AND OTHER AGENCIES

When to Contact MIS?When to Contact MIS?

• Contact any of your MIS personnel and supervisor about any cyber security incident!

Contact MIS for Software Contact MIS for Software InstallationInstallation

Contact MIS for Software Contact MIS for Software InstallationInstallation

• Remember to never install software on any device (computer, USB, blackberry, etc.) without permission from the ISO. This is to ensure we have met all licensing and copyright requirements.

Contact MIS for Account AccessContact MIS for Account Access

MIS has an automated data system account request process. This process replaces the paper form signatures used in the past. Supervisor will initiate new account requests by logging into the portal: https://webapps.mrc.virginia.gov/portal

Contact MIS for Account AccessContact MIS for Account Access• Supervisors will login the portal with their email address as the username

and password (“use forgot password” link if you are unsure of your password)

– On the System Access menu select if request is for citizen or employee and follow the instructions given

– After the request, the assigned custodian will receive an email requesting approval

– Next, the system owner receives an email an email requesting approval

– Once all approvals have been granted, the user, supervisor, custodian, and system owner receive an email stating the account has been created or documented

• The final notification email include terms of use and initial instructions.

• For agency owned systems the user must also actively acknowledge terms of use on their first login

• For non-agency owned systems the user, supervisor, custodian, or system owner may all have to be involved to set up the necessary access to the external data

Contact FTC When Identity Theft Contact FTC When Identity Theft OccursOccurs

Contact FTC When Identity Theft Contact FTC When Identity Theft OccursOccurs

• File a complaint with the Federal Trade Commission:

https://www.ftccomplaintassistant.gov• Place a fraud alert on your credit reports, and

review your credit reports. This can be accomplished by contacting one of the nationwide consumer reporting agency

• File a Police Report• Close the accounts that have been tampered with

or opened fraudulently

WHO IS IT?WHO IS IT?WHO IS IT?WHO IS IT?

You don’t open your door at home without ensuring who is at the door,

….So why would you not take the same precaution online!

Thank You!Thank You!

Thanks for going through the training today.Information Security is critical at work and at home. We

appreciate you taking the time to learn the contents of this training and highly encourage you taking some time regularly to read up on security topics. Use our MRC security web MRC security web page page to access more information on security and access account request information. Also available on our security web page is the Agency Information Security Policy – all users should be familiar with the policy and their responsibilities for security as an agency employee.

Please contact Erik Barth (x72262); Linda Farris (x72280) or your supervisor if you have any questions about this training or information security topics in general.

ReferencesReferences• FTC NewsFTC News

• MicrosoftMicrosoft

• VIRUSLISTVIRUSLIST

• INSA• WikipediaWikipedia

• Stay Safe OnlineStay Safe Online

• OnGuard OnlineOnGuard Online

• MULTI-STATE SHARING AND ANALYSIS CENTERMULTI-STATE SHARING AND ANALYSIS CENTER

• United State Computer Emergency Readiness TeamUnited State Computer Emergency Readiness Team

• VITA 2011 ReportVITA 2011 Report

• WebsenseWebsense