• • • • •
To work in line with company policies and/or procedures To do your utmost to protect the organisation from a cyber attack To treat the data you are responsible for handling with care To properly raise any queries or concerns To escalate any issues which may affect the organisation
• •
To be vigilant and to take proper care when handling, sharing or storing data To act as an ambassador of your organisation, respecting its security culture both internally and externally
W W W .T R A I N I N G 2 0 0 0 . C O . U K / C Y B E R
3
4
•
Using the same password for all your accounts is the greatest risk to your personal security
•
Passwords can be cracked very easily, so strong passwords are essential
•
A strong password should include: upper and lower case letters, numbers, special characters AND be different for every account!
•
Developing your own algorithm to make sure your passwords meet the criteria for a strong password every time
•
Using strongpasswordgenerator.com to come up with a new one, and then…
•
…storing it in a password vault so you don’t forget it!
W W W .T R A I N I N G 2 0 0 0 . C O . U K / C Y B E R
5
6 W W W .T R A I N I N G 2 0 0 0 . C O . U K / C Y B E R
6
•
Spamming - sending the same (fake) email to a large number of recipients
•
Spear phishing - an email that appears to be from someone you know
•
Vishing - a telephone scam aimed to trick the user into giving out information
•
SMiShing - a text message which prompts the user to download malware
•
Whaling - a type of spear phishing aimed at senior executives
•
Pharming - redirects traffic to a victim’s site to another, fake site
•
Spoofing - creation of email messgaes with a false email address
•
Cancel any downloads that may have started and delete
•
Delete anything in your recycle bin
•
Close your internet browser (and turn off data)
•
Use another device to change your passwords
•
Restart your device
•
Be wary of your machine’s performance
•
Check that all installed programmes are ones YOU chose
•
If in doubt, ask!
W W W .T R A I N I N G 2 0 0 0 . C O . U K / C Y B E R
7
8
•
Steal money through fake payment portals
•
Trick you into downloading malware
•
Read your IP address and online footprint to follow you elsewhere
•
Drop cookies into your browser
•
Steal your usernames and passwords (what did we learn about passwords?!)
•
Ask your IT department or provider to check the site’s safety before using it
•
Do NOT input any personal information
•
Check other online sources
•
Call the phone number to check
•
Use Norton’s Safe Web widget: https://safeweb.norton.com
W W W .T R A I N I N G 2 0 0 0 . C O . U K / C Y B E R
9
10
•
Files - Use an encrypted drive, such as TrueCrypt
•
Emails - You can set up encryption for emails via your email provider
•
Devices - You can buy encryption hard drives and USBs or use software
•
Documents - You can select ‘encrypt with password’ on your documents
•
Cloud storage - Use a secure cloud storage provider such as Box, or OneDrive
•
Use the process of data classification to decide what should be encrypted and whom you are sending it to
•
Basic classifications include - public, informal, confidential, critical - you may choose (or your policy may say) to only encrypt confidential and critical
•
Adopt the ‘need to know’ mentality, only send information to people that really need it, rather than informing people of data which is sensitive, but they might not necessarily need
W W W .T R A I N I N G 2 0 0 0 . C O . U K / C Y B E R
11
12
•
Be aware of your physical surroundings – ‘shoulder surfing’
•
Log out of sites when not in use
•
Lock down your computer when away from your desk – ctrl, alt & delete
•
Don’t leave sensitive information, including passwords in view
•
Don’t share your passwords with anyone else
•
Don’t be afraid to question – common sense prevails
•
Be cautious about what you post on social media
•
Maintain the same good practice when away from the office
•
Use your shared network whenever possible – this is backed up and access rights are in place based on your needs
•
If you are working away from the office with no access to your network, save your work in an encrypted drive, until you can move this over to your shared area
•
Don’t rely on storing information on portable devices as they can easily be lost. If you have to use them, make sure they are encrypted.
W W W .T R A I N I N G 2 0 0 0 . C O . U K / C Y B E R
13
14
• • • • •
Direct supervision is not possible Loss of IT equipment is much more likely Public environment – lots of people can see what you’re doing Unsecure networks Data protection
• • • •
Usernames Passwords Emails Messages
• • •
Files Network drives Web pages
•
Pay attention to your remote working policy
•
Leave your device unattended
•
Be aware of who is around you - can you see what they are working on?
•
Use removable media devices
•
Connect to open WIFI
Use a VPN (Virtual Private Network) to encrypt your internet traffic
•
Save preloaded website credentials
•
W W W .T R A I N I N G 2 0 0 0 . C O . U K / C Y B E R
15
• • •
• • •
engineering uses the perimeter around the digital target People Buildings Information
•
How social engineers build a profile of the target:
•
Using information found on social media sites
•
Observing and attempting ways into the building
•
Planting phishing emails and scam calls to gain further information
• •
Always keep a clear desk Pay attention to who is in the building – use correct visitor procedures Be mindful about the information you share on social media Be suspicious of unusual calls –
• •
16
Social engineering is ‘the art of human hacking’ It can be a lucky route in, or a fully targeted and planned attack You many not consider it to be ‘cyber security’, however social
• •
take the number, vet the caller and ring them back if you feel unsure of their identity Remember your good practice around emails and phishing If in doubt, ask!
W W W .T R A I N I N G 2 0 0 0 . C O . U K / C Y B E R
17
18
ACCESS CONTROL
Controlling who has access to a computer or online service and the information it stores
ASSET
Something of value to a person, business or organisation
BACKING UP
To make a copy of data stored on a computer or server to lessen the potential impact of failure or loss
BRING YOUR OWN DEVICE (BYOD)
Preparing for and maintaining continued business operations following disruption or crisis
CLOUD COMPUTING
Delivery of storage or computing services from remote servers online (ie via the internet)
ENCRYPTION
The transformation of data to hide its information content
FIREWALL
Hardware or software designed to prevent unauthorised access to a computer or network from another computer or network
GAP ANALYSIS
The comparison of actual performance against expected or required performance
HACKER
Someone who violates computer security for malicious reasons, kudos or personal gain
HARD DISK
The permanent storage medium within a computer used to store programs and data
IDENTIFICATION
The process of recognising a particular user of a computer or online service
INTERNET SERVICE PROVIDER (ISP)
Company that provides access to the internet and related services
KEYBOARD LOGGER
A virus or physical device that logs keystrokes to secretly capture private information such as passwords or credit card details
LOCAL AREA NETWORK (LAN)
Communications network linking multiple computers within a defined location such as an office building
MACRO VIRUS
Malware (ie malucious software) that uses the macro capabilities of common applications such as spreadsheets and word processors to infect data
MALWARE
Software intended to infiltrate and damage or disable computers. Shortened form of malicious software
NETWORK FIREWALL
Device that controls traffic to and from a network
PASSWORD
A secret series of characters used to authenticate a person’s indentity
PERSONAL FIREWALL
Software running on a PC that controls network traffic to and from that computer
PERSONAL INFORMATION
Personal data relating to an identifiable living individual
PHISHING
Method used by criminals to try to obtain financial or other confidential information (including usernames and passwords) from internet users, usually by sending an email that looks as though it has been sent by a legitimate organisation (oftern a bank). The email usually contains a link to a fake website that looks authentic.
PORTABLE DEVICE
A small, easily transportable computing device such as a smartphone, laptop or tablet computer
RISK
Something that could cause an organisation not to meet one of its objectives
SECURITY CONTROL
Something that modifies or reduces one or more securtiy risks
SERVER
Computer that provides data or sevices to other computers over a network
SPYWARE
Malware that passes information about a computer user’s activities to an external party
THREAT
Something that could cause harm to a system or organisation
VIRTUAL PRIVATE NETWORK (VPN)
Link(s) between computers or local area networks across different locations using a wise area network that cannot access or be accessed by other users of the wide area network
VIRUS
Malware that is loaded onto a computer and then run without the user’s knowledge or knowledge of its full effects
VULNERABILITY
A flaw or weakness that can be used to attack a system or organisation
WI-FI
Wireless local area network based upon IEEE 802.11 standards
WORM
Malware that replicates itself so it can spread to infiltrate other computers
W W W .T R A I N I N G 2 0 0 0 . C O . U K / C Y B E R
19
20
W W W .T R A I N I N G 2 0 0 0 . C O . U K / C Y B E R
21
22