Information Security Awareness

1
Information Security Awareness

• What every employee should know
• Michael De La Cruz
• Information Security Officer
• CISSP, MCSE, MCSA, Network, A

2
Objectives

• To build general awareness of information
  security.
• To develop a working knowledge of information
  security principles and practices.
• To gain a basic understanding of the hacker
  mindset.
• To get your commitment to follow the information
  security pledge.

3
Agenda

• Quiz
• Video
• A problem report
• Practicing the information security habits
• Getting help
• Another quiz

4
An Information Security Quiz

• Measure your knowledge
• Dont worryits anonymous

5
Statistics-2002
6
Statistics-2001

• U.S. corporations lost 59 billion in proprietary
  information and intellectual property during the
  past year.
• Only 13 of Fortune 1000 companies responded to
  the survey
• Of those 139 who did respond, only 40 reported
  an incidence of known or suspected information
  theft.

7
Statistics

• Carnegie Mellon University estimates that 99 of
  all reported intrusions "result through
  exploitation of known vulnerabilities or
  configuration errors, for which countermeasures
  were available." 

8
Statistics
9
STCC Statistics

• December 20, 2002 January 7, 2003
• 1,913 port scans from all over the world
• 513 attempted DDoS attacks
• 2,413 web server attacks
• 7,162 reconnaissance attempts
• Daily Average
• 106 port scans
• 29 DDoS attempts
• 134 web server attacks
• 398 reconnaissance attempts

10
Today

• Hackers view over 5 million credit card accounts
• Credit card companies do not know when it
  happened
• Information was not used in a fraudulent way

11
Unsolved Hacks
12
The Problem

• Threats to STCC

13
Quote
"People are the weakest link. You can have the
best technology, firewalls, intrusion-detection
systems, biometric devices - and somebody can
call an unsuspecting employee. That's all she
wrote, baby. They got everything." - Kevin
Mitnick
14
The Problem-Threats

• Competitors
• Disgruntled Employees
• Hackers
• Natural disasters
• Honest mistakes

15
Definition of a Hacker

• This is a computer user who works to understand
  the ins and outs of computers, networks, and the
  Internet. Hackers are generally benign and
  believe that information should be free.
• I usually use the term hacker when I really
  mean cracker. The difference is that crackers
  have malicious intent and tend to destroy and
  steal for no other higher purpose.

16
Hacker Ethic

• Access to computers and everything which might
  teach you something about the way the world works
  should be unlimited and total
• All information should be free
• Mistrust authority-promote decentralization
• Hackers should be judged by their hacking only

17
Video

• Adrian Lamo

18
Hackers

• Legion of Doom-Charged in 89, convicted in 90
  for hacking into Bell South.
• Sentenced 14-21 months, ordered to collectively
  pay 233,000
• Kevin Mitnick-Convicted 99 for stealing 1
  million in software from Digital Equipment
  Corporation.
• Sentenced to 1 year imprisonment, and restricted
  from using a computer.

19
The Problem - Attacks

• Confidentiality
• Disclosing or using STCC trade secrets
• Integrity
• Modifying information without authorization
• Availability
• Destroying or denying access to the information
  we need to do business

20
The Problem - Targets

• STCCs money
• STCCs infrastructure
• STCCs reputation

21
The Solution

• The Information Security pledge

22
The Solution Take the Pledge

• I recognize that STCCs information assets are
  under attack
• I accept that I have a personal role in
  protecting STCCs information assets
• I commit to practice the 3 basic security habits
• I will call on the Information Security team to
  help me

23
The Solution Practice the 3 Habits

• I will have a strong password
• I will keep a secure office
• I will protect STCC assets everywhere

24
Habit 1Have a Strong Password

• The habit of protecting your electronic access to
  the vault

25
(No Transcript)
26
Your Password Protecting Your Account

• Lock your system
• Use a strong password
• Keep your password secret
• Use care with shared accounts
• Back up critical information

27
Your Password Sharing Electronic Information
Securely

• Enforce need-to-know
• Authenticate confidential access
• Encrypt vulnerable data
• Follow US export law regarding controlled country
  coworkers

28
Examples of Passwords

• Weak
• 12345
• Password
• STCC
• Pecan
• Gateway1
• abc123

• Strong
• tCj0Tm
• iL2e0c
• 1cRmPW!
• CyMm_at_M0?

29
L0phtcrack Demonstration

• How hackers crack passwords

30
Uncrackable Characters
31
Your Password Protecting The Network

• Connect only authorized devices to the network
• Be alert for malicious programs
• Dont be a backdoor

32
Habit 2Keep a Secure Office

• The habit of protecting the vault while youre
  working in your office

33
Your Office Keeping a Clean Office

• Protect classified documents
• Lock down your valuable assets
• Watch out for eavesdroppers
• Be careful with printers and copiers

34
Your Office - Messaging

• Know your addresses
• Encrypt vulnerable data
• Use care with faxing and auto-forwarding

35
Your Office - Collaborating

• Know your audience
• Be wary of non-secure connections
• Be mindful of controlled technology laws
• Clean up when youre done

36
Your Office Your Trash

• Return registered documents to appropriate
  personnel
• Dispose of confidential trash appropriately
• Sanitize office equipment prior to disposal

37
Habit 3Protect STCC Assets Everywhere

• The habit of protecting information from the
  vault when youre away from the office

38
Everywhere Out and About at STCC

• Treat common areas as non-secure
• Help maintain access control
• Look for security problems
• Report suspicious activity

39
Everywhere Working Away From the Office

• Use secure computers remote connections
• Protect documents as you would in-plant
• Be wary of thieves and eavesdroppers
• Follow US export laws for controlled countries

40
Everywhere Appearing in Public

• Review publications, seminars, and presentations
• Provide the minimum on applications and forums
• Resist social engineering

41
Getting Help from the Information Security Team
42
Help Reporting Problems

• Report any unusual system activity to the ITS
  Help Desk. They in turn will notify the
  Information Security Officer.
• Do not investigate the incident yourself the
  Incident Response Team will lead the
  investigation
• Call the Help Desk for non-emergency help

43
An Information Security Quiz

• Measure what youve learned
• Dont worry its anonymous

44
The Information Security Pledge

• I recognize that STCCs information assets are
  under attack
• I accept that I have a personal role in
  protecting STCCs information assets
• I commit to practice the 3 basic security habits
• I will have a strong password
• I will keep a secure office
• I will protect STCC assets everywhere
• I will call on the Information Security team to
  help me

45
Questions