SAFE CYBER HYGIENE FOR WORK AND AT HOME August 2017 Cyber Hygiene...GRC 2017 Cyber Hygiene...
Transcript of SAFE CYBER HYGIENE FOR WORK AND AT HOME August 2017 Cyber Hygiene...GRC 2017 Cyber Hygiene...
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 1
NJGovernmentRecordsCouncilAnnualTrainingSeminar
August10,2017ByMarcPfeiffer,AssistantDirectorBlousteinLocalGovernmentResearchCenter
RutgersUniversity
SAFECYBERHYGIENEFORWORKANDATHOME
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 2
BOTTOMLINE▪ Criminalstrytomanipulatepeopleinto
divulgingpersonalorbusinessinformationortrickthemintoschemestodefraud
▪ Criminalscanbeindividualsorpartofindustrialized,cybercrimebusinesses
Nosinglefixsincethethreatskeepchanging;It’saperpetutalbattle
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 3
SomeCommonTerms
Malware
Destructiveformofcomputersoftwaretransmittedbyemailandwebsitelinks
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 4
Phishingaformofsocialengineeringthatappearsasemailoratextmessagethatattackersusetogainlogincredentialsoraccountinformation
Anditsevilcousin,thetargetedSpear-PhishorVish,usingvoicetofoolyou
WHYSHOULDICARE?
•60%ofemployeeswillclickaphishinglink
•30%ofthemwillactuallygiveuporganizationcredentials
•20%statedtheywouldselltheirorganizationalpassword
REALITY:thebulkofsuccessfulattackscomebecauseanemployeeclickedon
somethingtheyshouldn’thave
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 5
TypesofAttacksandThreats•TargetedAttacks
–Governmentagenciesaregenerallytargets–Italsohappensifsomethinggoeswrong
•MassAttacks–Thisstemsfromsuccessfulemailphishing,socialengineering,plus“bruteforce”attacksonnetworks
•Man-in-the-MiddleAttack:–Alinktoalog-insitethatlookslegit,butisfraudulentandwillstealyourcredentials
•Unsecurehumans–Clickingonthewronglink/openingthewrongfile–Anemployeewhostealsdataforresaleorillegaluse
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 6
PHISHINGEMAILSEXAMPLES
Phishingemailposesasanimportantemailfromatrustedorganization
– Anotificationfromthepostoffice,UPS,FedExshippinginformingtherecipientofadelivery
– Amessagefromautilityproviderorretaileraboutanoverduebill
– Analertabouttherecipient’staxreturn– Invoicesornoticesforgoodsandservices(Amazon,Costco)
– Fakecreditcardrewardschemes– Directionfromyouremployer,i.e.,needtolog-inbecauseyoulostsomepermission
Eachvariationreliesonourinstincttoactonmessagesthatappeartobeurgent
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 7
EMAILASSOURCEOFMALWARE?
- Embedded,butfakelinksenticeyoutoopenharmfulwebsites
- Spoofed“from”addresses
- Attachmentsthatareorhaveembeddedvirusesormalware(docx,xlsx,pptx,html,zip)- MSOfficedocumentscanhavemaliciousmacrosinthem
- Embeddedimagescontaininghiddencodeexposingyoutoharm
- Couponsandadvertisementswith“hiddenagendas”
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 8
REASONSFORCLICKING?
• CURIOSITY=34%
• METANEXPECTATION=27%
• INVESTIGATION=17%
• KNOWNSENDER=16%
• TRUSTINCONTEXT=11%
• FEAR=7%
• AUTOMATIC=3%
• Clickingonanattachmentoralinkembeddedinasuspiciousemaillaunchesaprogramthatencrypts(orrewrites)yourfiles
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 9
SOWHATHAPPENS?
• Thefilesareheldforransom;thehackerwhosenttheemailwillrequireapaymentfromyoubeforetheywill(hopefully)sendyouthekey(alineofcomputercode)thatdecryptsthefilesandrestorethem.
• Hopeyouhavebackupstorestoreyoursystem;otherwiseyoupay!
• Nowknowntohackersasavictimandwillbesubjecttofutureattacks
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 10
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 11
PROTECTYOURSELFFROMEVILEMAIL
•Learntohoverandreadlinks!
•Besuspiciousofunexpectedemails
•Donotopenattachmentsyouarenotexpecting:
• Confirmfirstwiththesenderifitlooksimportant
• Orjustdeleteit
• Alwaysbesuspicious(donotletyourguarddown)
• Ifitdoesn’tlookright,it’snotright
• Donotlogintoanaccountfromanemaillinkunlessyouverifyit’salegitemailandsite
• Neverunsubscribefromagroupthatyouareunfamiliarwithordidnotsubscribeto
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 12
“But,IThinkI’mSmartAboutThis”
• “Iknew,ifthiswassomethingdangerous,myNortonwouldprotectme”
• “IuseFirefoxandMacOS,soI’mnotafraidoftheviruses”
• “AfterIgoogledit,Photocloud.com seemedtobeacleanwebsite”
• “Igoogledtheemailaddress[…]Ifoundnothing”
• “Iconsiderourwebmailtobesafe”
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 13
• Asixcharacter,singlecasepassword= 308millionpossiblecombinations
• Combiningupperandlowercaseandusing8charactersinsteadof6=53trillion
• Substitutinganumberforoneofthelettersyields218trillion.
• Substitutingaspecialcharacter6,095trillion
HOWSTRONGISYOURPASSWORD?
• Usestrongpasswordsorbetteryetpass-phrases,donotusenames,dateofbirths,oranythingknownaboutyou
• Changethemperiodically• Donotsharepasswords!But,ifyoumustconsiderthat:
– Anythingthathappensonthataccountgetstreatedasifyoudidit
– Ifyoudoshareapassword,changeittosomethinggenericbeforeandbacktosomethingcomplexafter;orchangeitafterit’suse
• Useapersonalpasswordmanager
WhatThatMeanstoYou
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 14
SAFEWEBBROWSING
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 15
THEPROBLEMSWITHBROWSING
Thisisnotyourmother’sinternet!
Useofpasswordsoninsecurepages
Malwareloadedpages
Unexpectedpop-ups
HTTP
HTTPS
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 16
http://masterupdate.net/.....
If you are unsure about this type of pop-up, search for “flash update” and go to an adobe.com site to check. Don’t download from a pop-up that’s not from the adobe.com website.
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 17
No
No
Bewareoffreedownloadsfromcouponanddownloadsites– malwareoftenfollows!
Andwatchwhereyouclick!
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 18
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 19
• DONOTCLICKONsuspiciouspop-upsorunexpectedmessageswhenbrowsing!– Ifatwork,callIT;ifathome,closethewindowor,disconnect
fromnetwork
– Workiswork,nothome!
– Rememberyourwebbrowsingactivitiesaretracked(evenifyouclearthebrowserhistory)!
– DON’TCLICKonthatpop-up!
– Testapagebylookingatitfullsizeandthenshrinkingit.Ifitwon’tordoesn’t,closethebrowser!
SafeBrowsing@Workand@Home
• DON’TCALLthenumberonthescreen
• Thingsthataretoogoodtobetrue,aren’ttrue.Don’tclickonthemordeletethem
• Caughtinaloop?Shutdownandreboot
• StaySafe:Browsetrusted sites:• Knowtheaddress:HTTPvs.HTTPS,andnopasswordsonnon-https sites
• Usetwo-factorauthenticationwhenoffered• Don’tdownload“toolbars”orcleaners,unlessknownorcheckedout.Youprobablydon’tneedthem
KEEPYOURCOMPUTERUPTODATEKeepwindows,antivirus,andbrowser
updatedwithlatestversions
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 20
FormsofSocialEngineering
• In-person• Phone• Digital
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 21
BEWAREOF……phonecallersaskingforconfidentialemployeror
personalinformation,eveniftheyclaimtobefromIToravendor.ReferthemtoITsupportorhangup.
'Canyouhearme?'phonescamFauxtelemarketersaskingunwillingvictimstorespondwithasinglewordto"Canyouhearme?“Donotreplywith“yes”
Don’tclinkontextmessagelinksfromsomeoneyoudon’tknow
{ }
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 22
UNFORGETTABLES
• Donotlogonandoffacomputerwhenaskedbyanotheremployeeoroutsideperson–unlessidentityisverified
• CallerIDcanbe“spoofed”• Usetwo-factorauthenticationtransactionswheneveritsavailable
• FiscalandHRpeople:POSTIVELYconfirmallemaileddirectionsforanything(especiallyforpersonnelinformationandpaymentdirection)
• Usepasscodeonmobiledevices43
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 23
•Nosystemis100%perfect- sincethreatsarealwayschanging
•Stayaware:stop,think,thenconnect•CallyourITsupportpersonwhenindoubt•Athome:www.malwarebytes.org ifyougetinfected
UH,NOPE
PUTTINGITALLTOGETHER
• Don’tbecurious– justdon’tclick• Online;freeisneverfree• Besuspicious– hoverfirstandcheckitout• Ifyoudidn’taskforit,youdon’tneedit• Never openattachmentsfromunknownpeople• Don’tinstinctivelyopenfilesfrompeopleyouknowbutwerenotexpecting;checkwiththemfirst
• LockyourPCwhenawayfromyourdesk– “Ctrl+Alt+Del>Enter”or“Windows+L”
• Testyourself:searchfor“PewCybersecurityQuiz”• www.pewinternet.org/quiz/cybersecurity-knowledge/
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 24
Formoreinformationforworkorhomeorschool:www.stopthinkconnect.org
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 25
FORFURTHERDISCUSSION&COMMENTS
MarcPfeiffer,AssistantDirectorBlousteinLocalGovernmentResearchCenterBlousteinSchoolofPlanningandPublicPolicyRutgersUniversityMarc.Pfeiffer@rutgers.edu
• TechnologyRiskManagementPapersat:– http://blousteinlocal.rutgers.edu/managing-technology-risk/
• Orsearchfor“BlousteinTechnologyRisk”
ANDNOW…SOMEWORDSABOUTTECHNOLOGY
RISKSANDPROFICIENCY
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 26
Categoriesof
TechnologyRisk
Cyber-security
Financial
Opera-tional
Legal
Reputa-tional
Societal
THREEELEMENTSOFPROFICIENCY
Technology Management
Cyber Hygiene
Technical Competency
• Governance- decisions• Planning– whattodo• Budgeting– howtofund
• Employeetraining• Adoptedpolicies• EncryptionofPIIandPHI
• Meetsminimumstandards• Accesstoexpertise• Incidentresponseplans
GRC 2017 Cyber Hygiene Presentation 8/9/17
© Bloustein Local Government Research Center, Rutgers University 27
MINIMUMACCEPTABLELEVELS:TECHNICALCOMPETENCY
MinimumBackupPractices
TimelySoftwarePatching
StrongDefensiveSoftware
ServerPhysicalSecurity
AccessPrivilegeControls
TechnologySupport
MINIMUMACCEPTABLELEVEL:SOUNDCYBERHYGIENE
Employeetraining
Policies:Email,Internet,Password
ProtectPIIandPHI
Passwordstrength