Speakers: Put your Name and Title here:---------xxxSWE2016xxx

Security Awareness 2.0The Human Element Pedro Serrano

Agenda • Your role in Security

• Stop / Look / Think, • Password Management

• Wi-Fi Connectivity• Securing your email

• Phone Connectivity• Wi-Fi on all the time ?

• Signs of a Phishing Attack• ONECLICK, CEO Scam

• Passwords • The longer the better

• Protecting your ID• PII, What’s that?

• Electronic Alerts• Banks, Email, FB, LinkedIn

• Phishing Emails• Out Of Office reply

Your Role (Stop, Look, Think )• You Are Being Targeted

This is why security starts with you !

• How = Tricked into opening files that contain malicious programs• They can be in .Pdf, .Doc, .Mp3, .Jpg, .Xls, (The only safe one .TXT)

• Via Malicious Programs = Malware, Virus, Worm, Keylogers, Trojan• How = By infecting our systems via Spam, Phishing or Spear

Phishing. They all involve the human element (all spam and phishing need you to be successful!)

• Where = Email, Skype, Facebook, Twitter, LinkedIn (via a link)

• So your system is now infected – now what? • Call your support team• Disconnect your PC or laptop from the network / turn off

Passwords• Don’t tell your passwords to anyone!

• Tech support will (should) not ask !!! (trust but verify)

• Don’t use simple dictionary words, pet’s names, or people’s names for passwords.

• Avoid anything that exist in the dictionary

• Use passwords that are at least 12 characters long. • Telephone #..…201.867.5305 easy to remember!

• Create a “pass phrase“ instead of just one word • V0t3f0rP3dr0• 1P7ayP0k3m0n!

• Does size matter? … Yes!!!• www.grc.com/haystack.htm

Passwords• Use a different password for each website.

• Please keep “your work” passwords unique

• If your bank or webmail offers you extra security features, use them! (like a text confirmation)

• Enable 2 factor authentication• Get help at Https://www.turnon2fa.com• Available for, Amazon, ITunes, Snapchat, Yahoo, Outlook, Gmail, Twitter, Facebook

• Consider using a password manager such as KeePass or MiniKeePass, Password managers make your Internet use a lot safer and easier.

• Change your passwords for sensitive web sites (such as your online banking) every 90-180 days (How about a year?)

• When was the last time you changed it ?

Common Traps – Phone Connectivity• Wi-Fi = always on … looking for a connection

• IPhone users – Settings, Wi-Fi, ask to join (OFF)• Android – settings, Wi-Fi, Advanced, Network Notification (OFF or

unchecked)

• Public Wi-Fi connections should be used with caution• If you must use free connections

• No Confidential data (unless secure)• No Bank transactions• No Online Payments• No Social Security Numbers

• If you have to transmit confidential data• Turn Wi-Fi off, use your data.

Please wait until you are in a safe Wi-Fi to check your bank, confidential or personal data. WHY?

Common Traps – Phone Connectivity• How to check your email securely on your phone?

– IPhone users – Settings, Mail, Accounts, (select the account) Advance Settings, Use SSL (turn ON)

• Work, Hotmail, Gmail (all have it, Work email better be secure!)– Android – settings, accounts, (select the account), settings, use

SSL (turn ON)

• Why does this matters ?• Today, our private and business life done via our phones. • We can forget our wallet, keys but not the phone.• We transmit confidential data using phones• Do you always connect via secure Wi-Fi ?

Pineapple time

• Show pineapple and what I have been able to collect

• Any Wi-Fi access points that you recognize – Did I needed your permission?– What can I do with this?– How do I protect myself?

Opening Emails and Attachments

• Before you open any attachment or click on any link in an email, look closely at each of these parts of the email:

• From: Do you recognize the name?• To: Just you or a group (alphabetically) • Date: Look for odd times like 3:49 am• Subject: Does it make sense • Attachments: The only one that’s safe is .TXT• Content of the message: does it make since ?• Hyperlinks: they want you to click Carefully check each of these

areas before you click on any link or open any attachment in any email.

Remember I am trying to trick you

Knowbe4.com – Phish Alert Outlook add-in

• This free tool can be downloaded and push to all your users• Via an MSI for outlook 7,10,13, and 16• Executives love this…Why, one button convenience … out of mind out of site

Online Banking• Use a bookmark (that you created) or type the address in the address bar in

your web browser to go to your banking site.• Why? – you added this , it did not came from an email

• Do not trust emails sent from your bank … Unless.

• Set alerts for adding new bill pay vendors or for debits in excess of a specified amount.

• I get a text from my bank when I make an ATM withdrawal

• Audit your transactions online frequently – once a week is recommended.• Do you get a monthly statement (they charge for that now!)

• Does your bank offer a more secure way of login into your account (text pin,

phone app) … USE IT !

Giving Out Personal Information• Don’t respond to anyone asking for personal information through social media

like Facebook, email, text or phone for information like:

• Social Security number• Bank account number• Date of birth• Address• Driver’s license number unless you initiated the contact to a number or website you can verify.

• Oh wait, some Facebook profiles have all that information !!!• Consider using an identity theft notification service that alerts you if your (or

your children’s) personal information is posted on the Internet

What is Personal Information (PI) or Personally Identifiable Information (PII)

What is Personal Information (PI)Personal information is defined as: First name (or first initial) AND last name

AND at least one of these items:

Social Security # Driver license or state-issued ID # Military ID # Passport # Credit card (or debit card) #, security code, and expiration date Financial account #s (with or without access codes or passwords) Customer account #s Unlisted telephone #s Date or place of birth Mother’s maiden name

PINs or passwords Password challenge question responses Account balances or histories Wage and salary information Tax filing status Biometric data that can be used to identify an individual, (e.g., finger or voice prints) Digital or physical copies of handwritten signature Email addresses Medical record #s

What is Personal Information (PI)Personal information is defined as: First name (or first initial) AND last name

AND at least one of these items:

Vehicle identifiers and serial #s, including license plate #s Medical histories National or ethnic origin Religious affiliation(s) Physical characteristics (height, weight, hair/eye color, etc.) Insurance policy #s Credit or payment history data Full face photographic images Certificate/license #s Internet Protocol (IP) address #s

Definition: as used in US privacy law and information security, is

information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual

in context.

Wow, we probably have a combination of these in our computers, today !

Protecting Your Identity• Use a cross-shredder to dispose of any documents. (expect to pay $75 to

$100) – But you can get a sale for $39.99• Keep all documents with information that can identify you out of view of both

friends and strangers.

• Carefully review your credit card and bank statements every month for fraudulent transactions.

• Please , Please, Please check your bank statements minimum once a month -look for $1.00 transactions, why? – testing your card.

• Obtain your credit report from all three credit bureaus (Experian, TransUnion, and Equifax) at least once a year to check for unauthorized entries.

• Use annualcreditreport.com – the only really free!

Out of Office Email Reply’s

• Reply to external sources (How much information are you giving away)

• Many corporations restrict replies to external emails.• Many criminals are using Out Of Office responses to

target you …. Why ?... You are not there!• Unless you really really really need it, its dangerous

Pokémon / Pokestop data risk• You are using the device

that has your contacts, bank, credit card, and your personal information

• Are you Surround Aware?• Stranger Danger• Google account access

• Full access to your account• Access to your phone• Create a Google acct just

for Pokémon access

• In app purchases

Ransomware / Cryptolock

How do we avoid? (Backups, OS update, Antivirus, Malwarebytes, CCleaner) How do we recover? (Pay or re-image)

Summary• Security Starts with You (Your role) • You are the target – Stop / Look / Think• Tools to protect your data

• Phone Wi-Fi, ONECLICK, Bank alerts, Email encryption, Phishing Emails, Personal Information

Pedro SerranoISSA – Oklahoma

Speak | Train | Motivate pedro@stmtalk.com

https://www.linkedin.com/in/pedro-serrano-0448b46