Information / Data Security Awareness...Information / Data Security Awareness ASR International...

For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR.

Information / Data Security Awareness

ASR International Corporation An ISO 9001:2015 Certified Company

Assessed at SEI CMMI Level 3

Over 30 years of extraordinary support to a wide variety of industries.

ASR Training Material

Security Application Series- SEC 001- DOR 20130618

For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR. 2

Information / Data Security

Cyber attackers / criminals are relentlessly targeting information / data assets

such as intellectual property, engineering designs / know-how, supplier

information, trade secrets, customer lists, financial information, emails,

customer account information, etc. Several well known companies - Google,

Adobe, Yahoo, Symantec, and many others have all been victims of cyber

hacking!

During your tenure with ASR, you will work with or have access to sensitive /

classified / Government / proprietary commercial information. It is your

responsibility to protect this valuable asset. Unauthorized (or unintentional)

disclosure or loss of information / data could lead to grave financial and

reputational loss / damage for ASR / customers / suppliers leading to negative

relationships with customers. In addition, this could result in possible civil and

criminal sanctions resulting from noncompliance with national, state and federal

laws!

Information / Data Security is Everyone’s Responsibility!


Why Information / Data Security Awareness?

Information / data security is not about technology. It is about people.

Advanced information security systems deployed to stop hackers, phishers,

spies, saboteurs, and cyber criminals / attackers are often compromised by the

complacency, inattention or incompetence of the users! You can unknowingly

pose information security risks in several ways:

Carelessness with password or use of weak passwords,

Opening email attachments from dubious or suspicious sources,

Not logging off from the network or the internet connection after use,

Using wireless connections in an unsecure manner,

Reduced emphasis on physical security resulting in loss or theft of your

laptop, portable devices, mobile devices, storage devices, smart phone etc.

containing valuable data and information.

It is essential that you understand the vulnerabilities of cyber space because

you can unintentionally or unknowingly endanger the computer system /

network of ASR / customer / supplier network with grave consequences.


Why Information / Data Security Awareness (Cont’d)?

With companies becoming more reliant on information assets, cybersecurity,

which was considered an IT issue, underpins almost all business initiatives.

Cyber attacks / security breaches inflict significant financial and reputation

losses and may even jeopardize national security!

Do you realize that you could be targeted?

Do you know what constitutes a “suspicious contact”?

Do you know what to do if you suspect that you are being targeted?

Do you know that deleting files from a storage device merely removes

information the computer needs to find the files – it only removes the

pointers and changes the file name. “Deleted files” can be recovered. Hard

drives / storage devices / unwanted computers must be must be disposed off

properly in a secured manner to prevent their unauthorized use,

Do you know that cyber attackers can take control of your computer / system

and remove / transfer / modify / delete valuable data and information,

If you are using a mobile device for ASR assignments, do you have it

(strong) password protected? Insecure or weak passwords on a stolen / lost

mobile devices are a growing source of data vulnerability and loss / theft,

Do you know who are the Security Contacts within ASR?


Human Factors

“The human factor is typically the most critical variable in information security systems. Even the best policies and technologies can be rendered completely ineffective if users do not take responsibility for safeguarding the information they control.”

Amit Yoran, former Director of USA’s National Cyber Security Division,

Department of Homeland Security, National Security Institute Article,

“Improving Security from the Inside Out, a Business Case for Corporate

Security Awareness,” Medway, MA.

Some of the factors that cause security breaches are:

♦ Natural tendency to gossip,

♦ Natural tendency to discuss your work / assignments / projects ,

♦ Natural tendency to correct mistakes,

♦ Want to change another person's view point,

♦ Implied knowledge,

♦ Sympathy,

♦ Provocation,

♦ Ignorance,

♦ Flattery,

♦ Common interest.


Trade Secret, Proprietary Information Elicitation

“Financial, business, scientific, technical, personnel, customer, economic

or engineering information in the form of plans, patterns, compilations,

prototypes, devices, formulas, techniques, processes, proposals,

presentations, check-lists, documentation, procedures, programs,

codes…. whether “tangible or intangible” and regardless of how stored,

compiled, memorialized, (physical, electronic, graphic, photographic,

audio recording, or written)….and the company has taken reasonable

measures to keep such information secret, and the information derives

independent economic value (actual or potential) from not being

generally known to or attainable by the public…” What’s not a trade

secret!

Elicitation: The process of obtaining information under the guise of a

social or professional conversation. If done correctly the subject does not

even know that he/she is being interrogated. The individual is unaware

that he/she is unwittingly providing information.

how stored,,


Cybersecurity

Cybersecurity concerns can be divided into three broad areas:

♦ External / outside threats: These involve computer system attacks using

viruses, malware, botnets, phishing scams and worms, etc. initiated by

hackers. These are designed to steal data / information, or take over a

computer system to make it inoperative or use it for sabotage. Sometimes

fraudulent sites are created to capture valuable information such as bank

account numbers / credit card numbers, personal identity information, etc.

and used for criminal activities,

♦ System Failures: These are the result of the vulnerabilities embedded in the

software. The identification, management and control of such system

weaknesses through intensive testing, and implementation of patches, is an

important step in ensuring the security of the cyber infrastructure,

♦ Internal risks: These are due to the human factors which can undo and make

ineffective the most sophisticated security safeguards, firewalls and

systems. The insider threat / risks may originate because of malicious

intents of the perpetrator/s but in most cases it is because the users lack an

understanding of the basic cybersecurity principles and the methods used by

hackers to compromise information / data,

A trained, and aware user is the best cybersecurity defense!


Common Cyber Threats

Phishing and Spear Phishing Uses email to deceive your to disclose personal /

organizational information,

Spear Phishing is directed towards a specific group

or an individual,

Tactics Email that appears to be from person of authority /

position or a legitimate company / organization. It

may have attachments / links that contain malicious

programs that embed into the computer and takes

control of your computer. Any attached devices such

as web cameras, microphones are covertly operated.

Data and information is sent to a rogue computer,

May promise you a reward or dire consequence if

you ignore the suspicious email,

Directs you to links to a malicious website which

looks legitimate,

Asks you to update / validate information on a site or

by clicking on a link,

Preventive Actions Do not open suspicious emails, attachments. Delete

them,

Do not click on suspicious links,

Ensure that antivirus software on your computer is

current and updated. However do not depend on

antivirus virus software alone!


Common Cyber Threats (Cont’d)

Malicious Software (Malware) Software that damages the computer or may make it

behave erratically. Malicious SW includes:

Viruses,

Trojan horses,

Worms,

Keyloggers,

Spyware,

Rootkits,

Backdoors,

Tactics Malicious code is distributed by:

Email attachments,

Downloaded / shared files,

Visits to infected web site,

Use of removable media – USB, CD, DVD,

Preventive Actions View email in plain text format,

Scan all attachments,

Delete emails / attachments from suspicious sources

/ senders,

Block malicious links / IP addresses, unnecessary /

unused ports at the firewall / host,

Turn off automatic downloads.



Weak Passwords Use of weak / default passwords is the reason for the

most easily exploitable vulnerabilities leading to

serious cybersecurity threats,

Passwords based on information specific to you

(name, dates, cities, pet names) which are easily

found out,

Tactics Exploits typical user inclination to use the same

password across different sites / systems /

computers,

Cracking of passwords of less secure sites,

Preventive Actions Use combination of letters, numbers, special

characters as allowed by the system,

Do not uses personal information as passwords,

Periodically change your passwords,

Do not save passwords / login information in your

browser,

Do not share your password,

Do not use personal information as passwords,

Do not use common phrases or words as passwords.



Unpatched or outdated

software with vulnerabilities

Software with know vulnerabilities which has not

adequately been patched is an easy target for cyber

hackers to access information,

Tactics Unauthorized system access,

Unauthorized data transmission,

Unauthorized hardware or software access to further

exploit the vulnerabilities,

Hacker access data / information and corrupts or

deletes / erases it,

Hacker sabotages the system,

Preventive Actions Stay current with the patches and updates,

Do not rely of firewall alone to protect against all

attacks,

Do not attach unauthorized / suspicious devices

(USB, external drive) to your system,

Watch for suspicious activities - unauthorized

network access, unauthorized / excessive email

traffic.


Information Collection Techniques

Unsolicited correspondence - “Shotgunning”, email,

Exploiting legitimate access,

Direct submission of Request For Information (RFI),

Information available on the social media sites,

Social networking,

Emotional approach,

Eavesdropping, cyber espionage,

Elicitation,

Recruitment,

Direct monitoring,

Threats or blackmail,

Simply asking,

Technology seminars, trade shows,

Unsolicited requests for information / offers of assistance

Listening to conversations at bars / restaurant / airport / hotel lounges

Spyware, cookies, malicious software (malware),

Systems / network hacking,

Phone tapping, interception of communications.


Example of Suspicious Email


Example of Suspicious Request For Information

From: [email protected]

Sent: Thursday, July 07, 2005 9:04 AM

To:

Subject: Requested Information

Hello, I am Ekanga Adani, a Indian AD Officer, who is a grad of OAC 3-98,

Ft. Bliss. What I need is Air Defense, particularly SHORAD lessons

learned from OIF. I would appreciate your assistance if you could.

Please send any information to me by my email [email protected].

Thank you.

Ekanga Adani, Cpt, AD, IND.


Suspicious Contact - Examples

Personal, telephone, e-mail and written communications (including blogs,

chats, twitter, social media sites), asking questions “beyond normal business

scope, not relevant, beyond requirements”,

A favorite MO (Modus Operandi) is to place false information in public arena

/ internet / social media and have experts “correct” it,

Another MO is RFI – Request for Information – they just ask for information!

Attempts by unknown / unverified callers / contacts to obtain information on

people and assignments, projects, equipment, customers,

Incidents before and during travel:

Luggage / belongings tampering,

Same hotel room every trip,

Sense of being followed / observed,

“Beyond normal business scope” questioning by people whose identities /

motivation / purpose are not known,

Contact the ASR Security Director, Facility Security Officer for further

information / clarifications. The ASR contact (phone, email, address)

information is provided on the last slide of this presentation.


Example of Suspicious Contact

-----Original Message-----

From: FBI [mailto:[email protected]]

Sent: Tuesday, July 31, 2007 7:02 PM

Subject: Dscovered

The Federal Bureau of Investigation (FBI), discovered through our intelligence Monitoring Network, that you have an on going transaction with some fraudsters who claim to be legally transacting business with you through the internet.

The fraud starts has been arrested and they are right now in the FBI custody. They confessed that they scammed you of some amount of money which we will not disclose to you right now until you fill the form below for verification of ownership. Your money will be sent to you as soon as we have verify that you are the really owner of the money we recovered from the fraudsters.

Please not that you have been legally declared innocent in the transaction between you and the fraudsters because you were deceived by the fraudsters and do not know what you were doing, so do not be afraid of filling the form below and have it sent back to us via this email address ([email protected]).

PAYMENT RELEASE ORDER FORM

1. FULL NAME

2. AGE/SEX

3. NATIONALITY

4. AMOUNT THAT WAS SCAM

5. RESIDENTIAL ADDRESS

6. PHONE NUMBER

7. HOME ADDRESS

Thanks for your understanding and we are sorry for the inconvenience this may has caused you all this while

We await your responds to this mail as soon as possible.

Regards,

mailto:[email protected]


Security Cleared ASR Team Members

If you are a security cleared ASR Team member, you must understand and

comply with the applicable security procedures / requirements, security

classification specifications and guides as applicable to your assignment.

Some of the security procedures / practices that must be followed:

♦ Protect the information,

♦ If you travel abroad, contact the applicable Security Office in advance to

obtain information and security guidance on your destination country,

♦ Do not leave company, customer or other sensitive items / information in

hotel rooms or hotel safes,

♦ Do not discuss sensitive information outside of official company or U.S.

Government offices,

♦ Keep sensitive information in your personal possession at all times, and only

take such information with you, as required, when on official trips,

♦ Refrain from using business cards / other indicative labels as luggage tags,

♦ Do not indicate your affiliations when registering at a hotel,

♦ Avoid potentially hostile or dangerous situations (large crowds and riots),

♦ Ignore or deflect unwarranted inquires or conversation and provide

nondescript answers.


Security Cleared ASR Team Members – (Cont’d)

Your security clearance does not give you approved access to all classified

information. It gives you access only to information at the same or lower

level of classification as the level of the clearance granted; and that you

have a "need-to-know" in order to perform your work,

Do not carry out excessive / abnormal intranet or internet browsing from

your work-related computer / network,

When doing your job, you are expected to limit your requests for information

to that which you have a genuine need-to-know,

Refrain from discussing classified / sensitive / proprietary information in

hallways, cafeterias, elevators, rest rooms, public areas or smoking areas

where the discussion may be overheard by persons who do not have a

need-to-know the subject of conversation,

Don’t leave electronic devices unattended. If you have to stow them, remove

the battery and SIM card and keep it with you,

Shield passwords from view of others. Don’t use the “remember me” feature

on many websites; retype the password every time,

Don’t open emails or attachments from unknown sources. Don’t click on

unknown / suspicious links in emails.


Information Security – Good Practices

Our activities involve extensive use of email, mobile devices, and computers. We need

to protect our systems against cyber attacks, hacking and email misuse. When using the

office / home computer or a mobile device in connection with your ASR assignments,

cybersecurity procedures must be followed. Some useful tips:

♦ Access only those folders / systems / computers for which you are authorized,

♦ Don’t open emails, attachments, links from unknown people / entities, or unverified

email address. These may have viruses, malicious codes, trojan horses hidden in

them. Delete the emails / attachments promptly,

♦ If you see suspicious messages, activity on your work computer, inform the System

Administrator immediately,

♦ Do not attach unauthorized external devices (USBs, disk drives) to the ASR /

customer computer unless you are sure of their authenticity and source and you are

authorized / permitted to do so,

♦ Check if the antivirus SW on your computer is active and current,

♦ Protect your password. If you think that your password has been compromised, inform

the System Administrator promptly,

♦ Do not install any SW / application on the ASR / customer computer unless it has

been approved and authorized,

♦ Log off from the system when you are away from it for extended periods,

♦ Disconnect from the Internet when you are not using it.


Information Security – Good Practices (Cont’d)

Use the ASR / customer network to store all work related data and information so that

it is not lost because of power outage or surges,

Be suspicious of unsolicited phone calls, visits, or email messages from individuals

asking about your project, assignment, your colleagues or other ASR or customer or

supplier information,

Do not provide personal information or information about ASR, ASR customers or the

supplier / your assignment location etc., unless you are authorized by ASR and you

are certain of a person's authorization / need to know to have the information.

Avoid revealing personal or financial information in email,

Don't send sensitive information over the Internet before checking a website's

security,

Pay attention to the URL of a website. Malicious websites may look identical to a

legitimate site, but the URL may use a variation in spelling or a different domain (e.g.,

.com vs. .net; org. vs. gov.),

If you are unsure whether an email request is legitimate, try to verify it by contacting

the company directly,

Clear your browser after use: delete history files, caches, cookies, URL, and

temporary internet files,

Empty your “trash” and “recent” folders after use,

Change your passwords periodically,

Install and maintain current antivirus software, firewalls, and email filters.


Information Security Awareness Tips

Passwords Do not use personal information,

Do not use common phrases or words,

Change password regularly,

Combine letters, numbers, special characters,

Avoiding spear phishing / phishing

attempts

Do not access the web by selecting links in e‐mails

or pop‐up messages. Type the web address,

View e‐mails in the plain text,

Do not give out your password,

Avoid providing personal information in an email,

Emails Scan all attachments,

Delete e‐mail from senders you do not know,

Turn off automatic downloading,

Email with caution,

Do not email / forward e-mail hoaxes,

Avoiding computer viruses Scan files before uploading them to your computer,

Do no attach unknown, unauthorized devices to the

system – thumb drive, flash drive, CD, DVD, external

hard drive.


Take Home Points - Security Awareness

♦ Recognize that there is a real threat,

♦ Identify and protect trade secrets, proprietary, confidential information,

♦ Protect all technical, customer, information / data,

♦ Use strong passwords,

♦ Exercise Need-to-Know for everything not just classified / confidential

information, watch requests beyond “the normal scope”,

♦ Safeguard your computer / password,

♦ Log off when you are finished using the computer system,

♦ Use wireless networks that you trust. Networks in hotels, cafes, libraries, airports

may not be secure,

♦ If you are using public computer, clear the browser cookies, clear the cached

files from the browser,

♦ Don’t talk shop in social settings, know your audience at all times,

♦ Beware of suspicious email, unsolicited contacts, telephone calls,

♦ Be careful of suspicious internet web sites,

♦ Avoid downloading of files from unknown web sites / email senders,

♦ Do not overlook virus protection. Since new viruses pop up every day, scan for

new viruses frequently if you are a heavy Internet user or receive large volumes

of unsolicited e-mail.

23

ASR International Corporation

580 Old Willets Path, Hauppauge, NY 11788, USA

Phone: +1 631 231 1086 Fax: +1 631 231 1087

Email: [email protected] Website: www.asrintl.com

23 For use by ASR Field Team only. Do not duplicate or distribute without authorization from ASR.

An ISO 9001:2015 Certified Company

Assessed at SEI CMMI Level 3

Information / Data Security Awareness...Information / Data Security Awareness ASR International...

Documents

Transcript of Information / Data Security Awareness...Information / Data Security Awareness ASR International...