The Best Free One-Hour Security Awareness Training Ever
I am Jayden Smith I am here because I love to give presentations. You can find me at @username
Introductions
Ice Breaker
At which desk do you feel like you belong?
CyberSecurity can seem overwhelming, complex and scary. But it’s MOSTLY about people and behavior. And it turns out there are some pretty basic things you can do (like attending this webinar!) to make yourself and your organization significantly more secure.
What we’ll cover today ● ● ● ● ●
Who is after your info Why they want it How they get it What you can do Then what?
Our promise - no FUD Fear, Uncertainty and Doubt (often shortened to FUD) is a disinformation strategy used in sales, marketing, public relations, politics and propaganda. FUD is generally a strategy to influence perception by disseminating negative and dubious or false information and a manifestation of the appeal to fear.
Having Said That... We do want everyone to be aware of what threats are out there and what they can do to protect themselves. And understand that you can’t eliminate all risk. One look at the news makes that clear. But...
There are things you can do that can make a
big difference. ● Nurture A security culture at your organization ● Educate Yourself and others about tactics used to steal your info ● Protect
Your accounts and devices with secure practices
● Verify
When in (ANY) doubt, VERIFY!
Three Slides of Boring Stuff We want to explain cybersecurity because it’s a term we all see a lot. It might be a little boring, but it’s only three slides and we’ll go fast
Cybersecurity Key Term
Security Triad Where do people fit in?
Everywhere
The CIA Security Triad (yes another triad)
C - How bad would it be if the information was exposed I - How bad would it be if the information was lost A - How bad would it be if the information was not available
Key Term: Phishing Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
Vishing (Voice Phishing) and Spear Phishing (targeted phishing) are other types of phishing)
Phish or not a Phish?
Phish or not a Phish? Take a look at the website we will display next. We’ll leave it up for 10 seconds, then ask everyone if they think it is a phish (fake website) or not a phish (legitimate). P.S. You will notice a watermark “Phishtank” on most of the images. This is NOT a signifier of phish or not a phish status.
Phish!
So, Who or What is out to get you? ● ● ● ● ●
Bad Guys Bots (created by bad guys) Bad code Your own people Human Error
Why? ● ● ● ● ●
Steal (money) Sell (money) Extort (money) Make Mischief Impress a Girl (seriously)
How? ● ● ● ● ● ● ●
Phishing Social Engineering Malware Theft Error Dumpster Diving Exploiting Vulnerabilities
Social Engineering Key Term
The manipulation of our human instinct to help
Social Engineering
6 Things to Get your Spidey Sense Tingling ● ● ● ● ● ●
Initiation Something for “nothing” Urgency Fear Authority Information Request
Joshua book recommendation - Gift of Fear by Gavin DeBecker
RoundTable Theatre Vishing Call Note these characteristics: ● ● ● ●
Initiation Urgency Fear Authority
Vishing
Voice Phishing or Phishing by Phone It happens and it’s happening more. Same rules apply. By definition, Vishing is initiated by the caller, not by you. So you should immediately be on guard. ● ● ●
Don’t give out personal information in response to an incoming call. Verify Report (if suspected fraudulent)
Let the Federal Communications Commission (FCC) know about ID spoofers by calling 1-888-CALL-FCC or filing a complaint at www.fcc.gov/complaints.
Phish or not a Phish? #2
Phish or not a Phish? #2 Take a look at the website we will display next. We’ll leave it up for 10 seconds, then ask everyone if they think it is a phish (fake website) or not a phish (legitimate). P.S. You will notice a watermark “Phishtank” on most of the images. This is NOT a signifier of phish or not a phish status.
Spear Phishing here.
Not a Phish!
Speaking of Con Edison
Spear Phish
(only the names have been changed)
Top 5 Ashley Madison Passwords (2015 breach)
Passwords ● ● ● ● ● ●
Length (not complexity) PassPhrases Password Managers Don’t reuse Don’t give them to people Don’t do what these folks did
Top LinkedIn Passwords (2012 breach)
Multi-Factor Authentication
Key Term
1. Something you know (username, password) 2. Something you have (smartphone, usb key) 3. Something you are (fingerprint, voice recognition)
Important News PCI Standard Adds Multi-Factor Authentication Requirements Infosecurity Magazine | PCI DSS version 3.2 has just been released, meaning the old standard, version 3.1, is soon to expire in October 2016. "One significant change in PCI DSS 3.2 is that it includes multifactor authentication as a requirement for any personnel with administrative access into environments handling card data."
Phish or not a Phish? #3
Phish!
Remote and Travel If you do all the other things we have talked about (and are going to talk about), you are already much safer. These same practices make remote work and travel much safer. ● ● ● ●
Multi-Factor Authentication Device Encryption Environmental Awareness Log out of sessions
And it doesn’t hurt to keep your eyes on your stuff!
Mobile Devices ● Protect your device with a password ● Encrypt your data ● Most mobile phones support biometric authentication (fingerprint). Use it! ● Keep eyes on them ● Enable FindYourPhone ● Learn how to disable services (bluetooth, wifi, location)
Wireless Networks ● Secure your own home WiFi with WPA2 ● Look for “sign-on” pages on unsecured networks ● Restrict sensitive transactions when on unsecured networks ● Use 4G if not cost-prohibitive
Encryption Key Term
Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text ; encrypted data is referred to as cipher text.
Encrypt Your Devices Encryption your laptop, smartphone and tablet is usually as easy as toggling a switch and creating a PIN or passkey.
Phinal Phish!
Phish!
on what you can do
● Nurture
a Security Culture at your organization
● Educate
yourself and others about tactics used to steal your info
● Protect
your mobile devices and accounts with secure practices
● Verify
any and all communications if you have any doubt
Now tell us again, at which desk do you feel like you belong?
About FMA FMA exists to build a community of individuals with the confidence and skills to lead organizations that change the world.
Thanks for attending! Please give us feedback at http://feedback.rtt.nyc. The survey just takes a minute and you can request that the recording and slide deck be emailed to you. Also let us know if you want to take advantage of either of the following offers available to attendees of this webinar. ● ● ●
15% off a Risk Analysis Project for your organization 50% off the first month of any ongoing RoundTable service Free credit card processing fee assessment from Merchant Advocate: http://cc-save.rtt.nyc
If Interested, contact us and use code: BESTEVER
CREDITS
Special thanks to all the people who made and released these awesome resources for free: â–Ť Phishtank and OpenDNS â–Ť Presentation template by SlidesCarnival
Resources ● ● ● ● ● ● ● ● ●
Three PCI security trends for 2016 10 Phishing Resource Companies Carnegie Mellon Phishing Education Password Tips from Experts (Wired) OpenDNS Phishing Quiz FTC - Scam Alerts FTC - About Phone Scams More Free Security Resources from RoundTable VPN - ProXPN for use on Unsecure Wi-Fi