Welcome to CyberSecurity Annual User Awareness Refresher Training

Replay Back NextPause ||

Welcome to CyberSecurity Annual User Awareness Refresher Training

1 2

Replay Back Next

What is Cybersecurity?

Cybersecurity is the practice of protecting computer systems and networks including the data the from:• 1Lost• 2Disclosed• 3Modified

4Battelle’s CyberSecurity Protection Program within our Information Management department is chartered with protecting Battelle's:• Information5

• Systems6

• Computers7

• Networks8

9Technology alone cannot provided adequate protection.

10Information Technology systems and data compromises are at an all time high, due to:• 11Increasing use of computers and the Internet• 12More prevalent “Zero Day10” exploits• 13Advanced sophistication and resources of hackers (e.g. organized crime, nation states)

14Battelle is specifically targeted because we are a major government contractor.

Replay Back Next

What is Cybersecurity?

Home15 Office16 Another Location17

18Be Smart, Safe, and Secure, because this is our Battelle.


Safeguarding Information and Data | Overview1You are responsible for:

• 2Assigned computing devices

• 3Software

• 4Passwords

• 5SecurID tokens

• 6PINs

• 7Certificates 23

4 56

In this section, you will learn about Battelle’s principles and techniques of information protection. You will also learn about removable media storage guidelines, sensitive information categories and reporting requirements.

7


Safequarding Information and Data |The Principles of Least Privilege

All staff members should apply the Principle of Least Privilege when granting access to sensitive information.

“you give an entity the least amount of access it needs to do its job and nothing else. In this definition, an entity can be a

person, computer, or anything on the network.”

1

2

34

5


Safequarding Information and Data |The Principles of Least Privilege

All staff members should apply the Principle of Least Privilege when granting access to sensitive information.

1

5

6


Safeguarding Information and Data |Personal Computing Devices

Battelle staff members and contractors may have camera enabled devices in their possession in general access areas at all Battelle locations.

1

1Use of a camera enabled device must be consistent with Battelle Policy 1.4 and staff and contractors are responsible to ensure: • 2The proper usage of the device and approved areas for use are understood

• 3The area around the camera field of view is visually checked to ensure no Business Sensitive, Strictly Private, proprietary, or otherwise client related material is in the background of the shot

• 4The pictures are not posted on any external social networking sites


Safeguarding Information and Data | Personal Computing Devices

Battelle staff members and contractors may have camera enabled devices in their possession in general access areas at all Battelle locations.

1

1Use of a camera enabled device must be consistent with Battelle Policy 1.4 and staff and contractors are responsible to ensure: • 2The proper usage of the device and approved areas for use are understood

• 3The area around the camera field of view is visually checked to ensure no Business Sensitive, Strictly Private, proprietary, or otherwise client related material is in the background of the shot

• 4The pictures are not posted on any external social networking sites


Safeguarding Information and Data| Removable Storage1Removable Media represents one of the largest threats to sensitive information.

CD’s/DVD’sDiskettes

Thumb Drives

External Hard Drives Backup Tapes MP3 Players

Be extremely careful when using removable media to transport sensitive information outside of Battelle. Do so only if you must have it for work at home or while on travell.9 Take only the minimum information needed.10When disposing of the device, return it to Battelle for proper disposal or sanitizing. Caution! Simply deleting the information does not remove it. Rather, the device must be sanitized by overwriting a number of times. Contact the IM Service Desk for assistance in sanitizing devices.11Maintain positive control of the device at all times.12

If any device containing Battelle or client sensitive information is lost or stolen, it must be reported immediately to the IM Service Desk.13NEVER remove Government Classified or Government Sensitive information from Battelle on a laptop or a removable storage device.


Safeguarding Information and Data| Sensitive Information Categories Sensitive information categories include.• Government Classified3

• Export Controlled Information4

• Business Sensitive or Strictly Private5

• Sensitive Information6

Click on each category for more information.


Government Classified

Top Secret, Secret, Confidential, and other categories of government classified information require specialized security measures and are not approved for storage in IM systems, e-mail servers, file servers, SharePoint sites, or PC hard drives. Contact Battelle Government Security or your local Facility Security Officer with questions concerning safeguards for classified information or to report the loss, compromise, or suspected compromise of classified information. The proper reporting telephone numbers can be found on the CyberSecurity Contact List.

Roll Over


Government Sensitive InformationCertain information is designated by government agencies as sensitive but unclassified. Common acronyms include FOUO (For Official Use Only) and SSI (Sensitive Security Information). There are over 50 designators for this category of information. The specific acronym and the safeguarding requirements are usually client and contract specific. Contact Battelle Government Security or your local Facility Security Officer for information on safeguarding Sensitive But Unclassified information or to report a loss or compromise.

Roll Over


Export Controlled Information The Department of State and Department of Commerce categorize certain information and technology as being Export Controlled. The transmission of Export Controlled information or technology outside of the United States or to foreign persons or entities within the United States requires a license and must be in strict compliance with applicable export control laws and regulations. Battelle is required to implement special security safeguards for export controlled information and technology in our control. The Export Compliance Guide and the Technology Control Plan describe export restrictions, access controls, and safeguards for export controlled information. References to these documents can be found in the CyberSecurity Contact List. There is an Export Control Manager assigned to each product line. For questions about whether information you are working with is export controlled, contact your Export Control Manager.Contact Legal Services for questions on export licensing or to report any export violation or compromise.

Roll Over


Business Sensitive or Strictly Private Such information is generally not releasable to the public and must be safeguarded at all times. The Total Information Protection (TIP) program describes the security measures required for Business Sensitive information and can be found in SBMS. Contact Battelle Government Security or your local Facility Security Officer for more information on safeguarding Business Sensitive information or to report a loss or compromise.

Roll Over


Safeguarding Information and Data | Information Protection Techniques 1Appropriate security techniques must be used to protect business information in electronic form when transmitting over public networks including telephones and Internet, or transporting outside of Battelle on any digital media (hard drives, diskettes, CD/DVDs, Zip drives, thumb drives, or other storage devices. 2The following techniques can be used to protect information and data:

Metadata Removal3

Encrypting Sensitive Information4

Secure File Transfer5

Compliance Data6

Click on each Technique for more information.

*Metadata is the term describing embedded hidden data within Microsoft Office products

Hard Drives CD/DVD Western Digital Passports

Thumb Drives

Iron Key is the preferred thumb drive Battelle staff should use.


Metadata Removal

Metadata is embedded hidden data, for example, review comments, un-resolved tracked changes (added and deleted text), author’s names, and more. It is Battelle’s best practice not to share or transmit Microsoft Office Word, Excel, or PowerPoint files to non Battelle entities or individuals without first removing all potentially embarrassing or damaging Metadata unless the external users need to see the metadata (e.g., Tracked Changes and Comments for collaboration reasons). Failure to remove certain types of metadata could be embarrassing, or worse yet, damaging to Battelle.

Refer to the CyberSecurity web page for more information on tools to remove meta-data.

**Office 2007 has built in Metadata cleaning tool.

Roll Over


Encrypting Sensitive Information

Exercise caution when sending sensitive information outside of Battelle via the Internet. It is especially dangerous to include sensitive information in e-mail messages, because e-mail may be stored in unencrypted form on multiple e-mail servers outside of Battelle.Information Management has implemented an encrypted Secure File Transfer application (FX) to securely transmit large data files over the Internet. Commercial encryption software is available for hard drives, folders, or individual files. Contact IM for recommendations.

Roll Over


Roll Over

Secure File TransferThe Battelle File Exchange service available at fx.battelle.org provides the secure transfer of large files, up to 1GB, over the Internet as an alternative to email and other traditional methods, such as File Transfer Protocol (FTP). FX can be used by all Battelle staff to exchange files between staff and/or external recipients. FX may be used by contractors, clients and partners to exchange files with Battelle staff. Caution: FX is NOT APPROVED for government classified information.


Roll Over

If dealiCompliance Datang with credit card (PCI) or Personally Identifiable Information (PII), please see Information Management to ensure standards are followed.

• Personal Identifiable Information data (PII)Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

• Payment Card Industry Data (PCI)Is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.

Note: Both types of data need to be protected and requires Information Management to be notified to ensure compliance and appropriate controls are in place to protect the information.


Safeguarding your PC at Battelle1You have just learned about the primary principles and techniques that Battelle uses to protect information and data. • 2Assigned computing devices (including software and data)• 3 Use of appropriate security measure commensurate with the value of data and equipment to ensure

• 4Device is not stolen• 5Data is not lost or corrupted, used in unauthorized ways, or available to unauthorized persons• All Battelle laptops are required to be encrypted with Battelle’s Safeboot encryption software available through WebRun

6The following methods are used to safeguard your PC at Battelle. Click each method for more information.

Passwords

Virus Protection

Baseline Software

Backup of Computing devices

Sanitization

Screen Saver

Principle


PasswordsPassword protection is critical to reducing Cybersecurity threats. Take the time to create strong passwords that are easily remembered, but difficult to guess. Battelle adheres to strong password standards, which are automatically enforced by the system.

Battelle staff members must adhere to the following password guidelines:Passwords Required— Passwords are required on all computing devices used to store or

access business information (PCs, BlackBerrys, cell phones, etc.).

Password Sharing— Personal network passwords and SecurID Personal Identification Numbers (PINs) are for use by the assigned staff member only. Sharing personal passwords or PINs with anyone, including family, friends, contractors, or other Battelle staff, is prohibited.

Password Storage and Handling— Passwords and PINs should be memorized. If a written password is necessary, it must be carried on the staff member's person or kept in locked storage. Passwords and PINs must not be kept with or attached to the device (PC, laptop, token, etc.).

Change Passwords Frequently— Network passwords must be changed at least every six months.

Auto-locking— Password-protected auto-locking (e.g., screen savers) must be configured on all computing devices to automatically activate after a maximum 10 minutes' idle time, to minimize data exposure.

Roll Over


Virus ProtectionVirus protection is critical for network defense. Current virus pattern files are required on all computing devices connected to the Battelle network, including both business and home computing devices. Battelle provides Trend Micro OfficeScan virus protection software for all Battelle users. Staff members who access the Battelle network from home for work are licensed to use OfficeScan.

Roll Over


Baseline SoftwareAll staff members are required to maintain baseline software on all Battelle PCs connected to the Battelle network, and are further required to install patches distributed by IM within the specified timeframe. Computing devices that cannot meet these requirements because of project or engineering constraints must be reviewed and approved by IM. The IT Asset Manager (ITAM) must approve any non-baseline software. IM maintains a list of software already approved by the ITAM as well as software that has been prohibited by the ITAM. For more information, see the Desktop Baseline Software web site in the CyberSecurity Contacts List.

Roll Over


Backup of computing devicesStaff members are required to make periodic backup copies of business data residing on any computing device for which they are responsible. The “Connected” automatic backup system is available in Columbus and many regional offices. Contact your local IT Coordinator or the IM Service Desk to determine if Connected is available to you.

Roll Over


SanitizationInformation contained on discarded devices and media can lead to serious information compromise. These devices and media include PCs, PDAs, BlackBerry devices, cellular telephones and all removable media, including external hard drives, diskettes, CDs/DVDs, Zip drives, thumb drives, or other storage devices.Battelle staff members are required to remove all data and software when disposing of any system that has been used to store or process Battelle data. Sanitizing, destroying, or disposing of all devices and digital media must be accomplished by IM-approved methods. Battelle leased and owned PCs, PDAs, BlackBerry devices, and cell phones must be returned to IM for disposal. At the Columbus and West Jefferson, Ohio campuses, you may deposit many forms of electronic media in the Business Sensitive Information Disposal Bins identified with a label as shown below. Bins are typically located in the same room as the walk-up copiers and/or printers. If your site does not have local procedures for disposal of electronic media, please contact Government Security for guidance in establishing a local (or site-specific) Business Sensitive Information Disposal Program.

Roll Over


Screen SaverPassword protected auto-locking or screen savers are required on all computing devices that contain Battelle information, including BlackBerry devices and PDAs, and must be set to activate after 10 minutes of inactivity. This is automatically set for PCs on the Battelle network. When you step away from your PC, you must manually lock your PC by pressing either the Window and L key together, or the control-alt-delete keys and clicking Lock Computer.

Roll Over


Safeguarding the NetworkNot only do you have the responsibility to protect your PC, you also need to protect our Battelle network. 1We create a large amount of sensitive data:

• 1Intellectual property

• 2Product information

• 3Proposal Information

• 4Other sensitive materials


Safeguarding the Network | Visitors and StaffVisitors must never be permitted to connect to the LAN (Local Area Network). • Visitors can knowingly or unknowingly introduce malicious viruses or software into the network. 1

• Staff members are not permitted to directly connect non-Battelle owned or leased storage devices to the Battelle network. If necessary, visitors can use Visitor Internet Ports( VIP) for Internet access. 2

• Visitor Internet Ports or(VIPs) are clearly labeled for access and are now available in many of our Battelle conference rooms. All VIP enabled rooms are labeled as shown.3

• Staff members may connect from VIPs into the LAN using IM-approved methods for remote access• Visitors must utilize VIPs to connect to the Battelle internet.4

12 4


Safeguarding the Network |Network ProtectionsTo prevent compromise of our Battelle network, you must comply with the following prohibitions:• Personally owned computing devices and removable storage devices – for example, thumb drives - are not

permitted to be connected to the Battelle network or Battelle computing devices.1

• Peer-to-peer music sharing and file sharing is prohibited 2

• Automatic forwarding of Battelle mail to outside e-mail accounts 3

• Accessing personal e-mail accounts from the Battelle LAN 4

• Illegal, pornographic, or harassing material 5

• Wireless Access Points are prohibited on the Battelle LAN without explicit IM approval6

At all times adhere to Battelle Professional and Ethical Standards.7


Avoiding Attacks and ThreatsAll computers and networks are susceptible to attack, unauthorized use, or unauthorized access when connected to the Internet. 3Battelle has strong security controls on network servers and desktops, and uses a firewall to filter traffic from the Internet; however, constant vigilance is required to keep your computer and our network safe. 5To learn more about the tools hackers may use to gain access to your computer, click on each example below roll your mouse over each example below:• Virus• Worm• Keystroke Logger• Trojan Horse• Password Cracker

1 2

4


Avoiding Attacks and Threats | Email PrecautionsE-mail is one of the primary methods by which PCs are compromised.

1The following are guidelines that will help you identify suspicious e-mail and attachments

• 2Be extremely cautious of e-mail from a sender you do not recognize; however, sender addresses are easily faked, so knowledge of the sender is no guarantee that the e-mail is safe.

• If the e-mail is not work related, don’t open it.

• Be wary of any e-mail asking for personal information.

• Be suspicious if the language, grammar, spelling, or content of the e-mail is inappropriate.

• Exercise caution if an e-mail contains an attachment you were not anticipating. Many attachments which look safe, for example, Microsoft Word files, are often infected. If you feel you need the attachment for Battelle business, contact the sender via phone if possible to confirm that the attachment is legitimate. Replying to the e-mail may cause more spam to be generated to their account.

• Microsoft and other software vendors never distribute software updates via e-mail. If you receive an e-mail claiming to have software updates, it is almost certainly infected. DO NOT OPEN IT. Report it immediately to the IM Service Desk.

• Electronic greeting cards or postcards frequently contain dangerous software and should be deleted immediately.

• Do not click on hotlinks in e-mail messages. Hotlinks in e-mail text are often spoofed, leading to attacks.

• E-mail is neither secure nor confidential. Exercise caution when sending sensitive information outside of Battelle via e-mail. Use Battelle's FX (Secure File Transfer) utility to transmit sensitive information. See the IM website for instructions.

• E-mail that is threatening in nature must be reported to Security Operations or Battelle IM Service Desk.


Avoiding Attacks and Threats | Internet Browsing PrecautionsCareless Internet browsing is another primary method by which PCs are compromised and then used to gain network access. 3Follow these guidelines when browsing the Internet:• Exercise care if browsing sites of unknown security• The Internet should be accessed from Battelle owned or leased equipment only for authorized business and

very limited personal use. 1 2


Avoiding Attacks and Threats | Social Engineering PrecautionsSocial Engineering is using social skills and tricks to convince you to give up critical informationClick on common attack techniques below for more information.• Phishing• Road Apple

12


Avoiding Attacks and Threats | Social Engineering PrecautionsSocial Engineering is using social skills and tricks to convince you to give up critical informationClick on common attack techniques below for more information.• Phishing• Road Apple

3

4

6,7


Phishing applies to email appearing to come from a legitimate business — a bank, or credit card company — requesting "verification" of information and warning of a dire consequence if the recipient does not respond. The e-mail usually contains a hotlink to a fraudulent web page that appears legitimate — with company logos and content — and includes a form to provide personal information, ranging from a home address to passwords to an ATM card's PIN.Never click on hotlinks in e-mail messages. These links are often spoofed and point to sites that can download infections to your PC.

Roll Over


Road AppleA road apple is a real-world variation of a Trojan Horse that uses physical media and relies on the curiosity of the victim. The attacker leaves a malware infected floppy disc, CD ROM or thumb drive in a location sure to be found (bathroom, elevator, sidewalk), gives it a legitimate looking and curiosity piquing label - and simply waits.

In some cases, hackers have mailed official looking CDs or thumb drives to users. These are often imprinted with the logo of clients or business partners. When the user inserts the CD or thumb drive into the PC, infected files are secretly installed. These files can infect other PCs and servers on the network, and can lead to serious compromises of information.

Roll Over

Replay Back Next

Security while TravelingBattelle offers it’s employees a wide range of portable devices for business use. 1These items can include:• 2Laptops• 3Cell phones• 4Blackberry devices• 5Thumb drives• 6 Identifiable articles

For information regarding travel outside of the country, please see the Travel website.

Replay Back Next

Roles and ResponsibilitiesBattelle staff members are responsible for the appropriate use and protection of assigned computing devices and software, and any assigned authentication mechanisms (passwords, SecurID tokens, Certificates, etc.). Violations of security policy or loss of computing devices or information must be reported to the IM Service Desk.

Review the chart below for more information regarding roles and responsibilities. Select each role to see the responsibility assigned.

Fact

Managers Ensuring Cybersecurity policies and procedures are implemented and enforced.

Information Owners Protecting the integrity, confidentiality, and accessibility of the information commensurate with the damage that could occur if the information is compromised. (examples, Project Leaders, SharePoint Admins, Web Masters, etc.)

Information Management Configuration control, management oversight, and security of firewalls and networks, and providing guidance to staff on cybersecurity issues.

Security Department Physical security, investigations, technology controls, regulatory compliance.

Ethics Standards Business Ethics and Conduct | CyberSecurity •The protection of our vital computing and network resources, and the information that resides therein, is of critical importance to Battelle. Use of Battelle network and computing resources is a privilege extended to our staff to allow them to do their work more efficiently and effectively. (BPM 1.4.4)

Replay Back Next

Contacts and Information SourcesWe are all responsible for protecting Battelle’s information and data. If you’re not sure about cybersecurity polices and procedure or are in need of assistance, the links and contact information below will guide you to the correct information. 1Be smart, safe and secure, because this is our Battelle.

2If you’re not sure about cybersecurity polices and procedure or are in need of assistance, 3click on the link below to save the pdf document to your desktop.

Fact

3


SummaryYou have just completed your training on Cybersecurity. You should now be able to:• 1Describe the goals of the Cybersecurity program and the type of threats Battelle is facing• 2Describe the principles and techniques of information protection• 3Describe the policies and solutions to safeguard your office computer• 4Identify methods to safeguard the Battelle network• 5Recognize how to avoid attacks and threats to Battelle• 6Recognize CyberSecurity risks while traveling• 7List roles and responsibilities of staff members and their importance to Battelle CyberSecurity• 8List contacts and information sources for Battelle CyberSecurity

Welcome to CyberSecurity Annual User Awareness Refresher Training

Documents

Transcript of Welcome to CyberSecurity Annual User Awareness Refresher Training