Security Awareness 2.0The Human Element

Pedro Serrano ISSA-Oklahoma

22

Agenda • Your role in Security

• Stop/Look/Think, • Password Management

• Wi-Fi Connectivity• Securing your email

• Phone Connectivity• Wi-Fi on all the time ?

• Signs of a Phishing • Safe attachments• ONECLICK, CEO Wire Fraud

• Online Banking• Do you have to use your SSN

• Protecting your ID• PII, what’s that?

• Shredding Documents• Oops it’s not trash

• Electronic Alerts• Banks, Email

3

Your Role (Stop, Look, Think )

3

•You Are Being TargetedThis is why security starts with you !

• How = Tricked into opening files that contain malicious programs• They can be in .Pdf, .Doc, .Mp3, .Jpg, .Xls, (The only safe one .TXT)

• Via Malicious Programs = Malware, Virus, Worm, Keylogers, Trojan• How = By infecting our systems via Spam, Phishing or Spear

Phishing. They all involve the human element (all spam and phishing need you to be successful!)

• Where = Email, Skype, Facebook, Twitter, LinkedIn (via a link)

• So your system is now infected – now what? (call your support team)• Disconnect your PC or laptop from the network / turn off• They will most likely scan your PC, Look, Review, Verify, and Correct• Most likely no consequences for the call, But a thank you!

4

Passwords

4

• Don’t tell your passwords to anyone! • Tech support will (should) not ask !!! (trust but verify)

• Don’t use simple dictionary words, pet’s names, or people’s names for passwords.

• Avoid anything that exist in the dictionary

• Use passwords that are at least 12 characters long. • Telephone #..…201.867.5305 easy to remember!

• Create a “pass phrase“ instead of just one word • (for example, V0t3f0rP3dr0 ). Or think up a few

nonsense words that you can remember easily (for example, Betty was smoking tires and playing fish) = B3t1wSm0k1ngtr3s@p1a!nf1sh!

• This is 27 characters!

5

Passwords

5

• Use a different password for each website. • Please keep “your organization” passwords unique

• If your bank or webmail offers you extra security features, use them! (like a text confirmation)

• Enable 2 factor authentication• Get help at Https://www.turnon2fa.com• Available for, Amazon, ITunes, Snapchat, Yahoo, Outlook, Gmail, Twitter, Facebook

• Consider using a password manager such as KeePass or MiniKeePass, Password managers make your Internet use a lot safer and easier.

• Change your passwords for sensitive web sites (such as your online banking) every 60-90 days (How about a year?)

• When was the last time you changed it ?

66How to use tutorial: Keepass.info/help/base/firststeps.html

77

Common Traps – Phone Connectivity

• Wi-Fi = always on … looking for a connection• IPhone users – Settings, Wi-Fi, ask to join (OFF)• Android – settings, Wi-Fi, Advanced, Network Notification

(OFF or unchecked)

• How do we avoid bogus connection• Do not use public (free) connections• If you must use free connections

• No Confidential data (unless secure)• No Bank transactions• No Online Payments

• Consider Phone Personal Hotspot or tethering

88

99

Common Traps – Phone Connectivity

• How to check your email securely?– IPhone users – Settings, Mail, Accounts, (select the

account) Advance Settings, Use SSL (turn ON)• Work, Hotmail, Gmail (all have it, Work better be secure)

– Android – settings, accounts, (select the account), settings, use SSL (turn ON)

• Why does this matters ?• Today, our private and business life done via our phones. • We can forget our wallet, keys but not the phone.• We transmit confidential data using phones

1010

Opening Emails and Attachments

• Before you open any attachment or click on any link in an email, look closely at each of these parts of the email:

• The From: Do you recognize the name?• The To: Just you or a group (alphabetically) • The Date: Look for odd times like 3:49 am• The Subject: Does it make sense • Attachments: The only one that’s safe is .TXT• The content of the message itself• And any hyperlinks they want you to click Carefully

check each of these areas before you click on any link or open any attachment in any email.

1111

ONECLICK for Bad Emails in Outlook

Knowbe4.com – Free Phish Alert Outlook add-in

1212

Online Banking• Use a bookmark (that you created) or type the address in the address bar in

your web browser to go to your banking site.• Why? – you added this , it did not came from an email

• Do not trust the phone number sent in any emails. Get your financial institution’s phone number from the back of your credit card, or by going to their website for it.

• Set alerts for adding new bill pay vendors or for debits in excess of a specified amount.

• I get a text from my bank when I make an ATM withdrawal

• Audit your transactions online frequently – once a week is recommended.• Do you get a monthly statement (they charge for that now!)

• Does your bank offer a more secure way of logging into your account (text

pin, phone app) … USE IT !

1313

Giving Out Personal Information

• Caution !!! automated phone call with a recording that asks you to verify your identity, your credit card number or other personal information. Do not provide!

• They should have it !!!

• Do not trust any telephone numbers or embedded links sent to you in an email.

• If you need to contact them you type / get the number yourself and type it. (don’t click the email)

• Don’t ever give out your Social Security number unless there is a legal requirement to do so. (This is bad in the banking industry, ask for a different way to authenticate)

1414

Giving Out Personal Information• Don’t respond to anyone asking for personal information through

social media like Facebook, email, text or phone for information like:• Social Security number• Bank account number• Date of birth• Address• Driver’s license number unless you initiated the contact to a number or website you can verify.

• Oh wait, some Facebook profiles have all that information !!!• Consider using an identity theft notification service that alerts you if

your (or your children’s) personal information is posted on the Internet

What is Personal Information (PI) or Personally Identifiable Information (PII)

1515

What is Personal Information (PI)Personal information is defined as: First name (or first initial) AND last name

AND at least one of these items:

Social Security # Driver license or state-issued ID # Military ID # Passport # Credit card (or debit card) #, security code, and expiration date Financial account #s (with or without access codes or passwords) Customer account #s Unlisted telephone #s Date or place of birth Mother’s maiden name

PINs or passwords Password challenge question responses Account balances or histories Wage and salary information Tax filing status Biometric data that can be used to identify an individual, (e.g., finger or voice prints) Digital or physical copies of handwritten signature Email addresses Medical record #s

1616

What is Personal Information (PI)Personal information is defined as: First name (or first initial) AND last name

AND at least one of these items:

Vehicle identifiers and serial #s, including license plate #s Medical histories National or ethnic origin Religious affiliation(s) Physical characteristics (height, weight, hair/eye color, etc.) Insurance policy #s Credit or payment history data Full face photographic images Certificate/license #s Internet Protocol (IP) address #s

Definition: as used in US privacy law and information security, is

information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual

in context.

Wow, we probably have a combination of these in our computers, today !

1717

Protecting Your Identity• Use a cross-shredder to dispose of any documents. (expect to

pay $75 to $100) • Keep all documents with information that can identify you out of

view of both friends and strangers.

• Carefully review your credit card and bank statements every month for fraudulent transactions.

• Please , Please, Please check your bank statements minimum once a month -look for $1.00 transactions, why? – testing your card.

• Obtain your credit report from all three credit bureaus (Experian, TransUnion, and Equifax) at least once a year to check for unauthorized entries.

• Use annualcreditreport.com – the only really free!

1818

Protecting Your Identity• Place free fraud alerts with all three credit bureaus so every credit

request must first be verified. A fraud alert is something that the major credit bureaus attach to your credit report.

• When you (or someone else) tries to open up a credit account by getting a new credit card, car loan, cell phone, etc., the lender should contact you by phone to verify that you do want to open a new account. If you aren’t reachable by phone, the credit account should not be opened.

• Issue … only valid for 90 days … but its free!

• Opt out of sharing your nonpublic personal information or credit report information with other businesses. (optoutprescreen.com)

• Consider using a credit protection service to get alerts if someone applies for a new extension of credit in your name (Identity Guard, Identity Force, Life Lock, Protect my ID, Myfico)

1919

Protecting Your Identity • Review your Social Security Earnings and Benefits Statement

to be sure that your yearly salary is correct. (Social Security Statement - Form SSA-7004)

• If you are on a wireless (Wi-Fi) network and you visit websites that require personal information, make sure that the wireless network is encrypted. (It shows a little lock and requires a password to get in.)

• Open wireless networks in public places may allow attackers to intercept your passwords under certain circumstances. Never conduct any transactions that require confidential information on open wireless networks. (Our biggest issue … Hotels !)

2020

Summary

• Security Starts with You (Your role) • Human Element (you are being targeted)• Tools to protect your data

• Phone Wi-Fi, ONECLICK, Bank alerts, Email encryption, Phishing Emails, Personal Information

Pedro SerranoISSA – Oklahoma

Speak | Train | Motivate pedro@stmtalk.com

https://www.linkedin.com/in/pedro-serrano-0448b46