it security awareness training

Views:
 
Category: Education
     
 

Presentation Description

IT Security Awareness Training for Employee Orientation

Comments

Presentation Transcript

IT Security Awareness Training : 

IT Security Awareness Training Kansas Department of Agriculture State Conservation Commission Government Ethics Commission Kansas Water Office

Information Technology Policy 7400 – Computer Security Awareness and Training : 

Information Technology Policy 7400 – Computer Security Awareness and Training Mandatory for all government employees, contractors and other third parties that have access to Kansas IT systems and data. Securing our agency’s information is EVERYONE’s responsibility.

Workstation Security : 

Workstation Security Protection of our agency’s assets and information begins with locking your workstation whenever you leave it.Whenever you leave your computer, even for a short time, you must – LOCK BEFORE YOU WALK!

Workstation Security : 

Workstation Security Lock before you walk! To lock your workstation Select Ctrl + Alt + Delete or Windows symbol + L key Get in the habit. Always lock before you walk.

Workstation Security : 

Workstation Security Acceptable Use of Workstation & Resources Internet access and email, as well as other means of communication, are resources provided for business purposes. BE AWARE! Your communications and use of resources are monitored, recorded and controlled at all times

Workstation Security : 

Workstation Security Prevent Shoulder Surfing Shoulder surfing is when someone gains sensitive information or passwords by watching you enter that information into the computer. Shoulder surfing can also occur when someone: just listens to your conversation with others listens to sensitive business discussions eavesdrops or overhears your telephone calls, etc….

Workstation Security : 

Workstation Security How do you Prevent Shoulder Surfing? Look over your shoulder to make sure no one is watching or listening. If someone is, take a moment and control the situation by: Adjusting your monitor Asking the person to step to a place where the information cannot be seen or heard Or just cover the information if that offers enough protection

Password Management : 

Password Management When creating a password, it should appear random to another person. It should be difficult to guess or crack, but easy for you to remember. Strong passwords are at least 8 characters long and use at least 3 of the 4 following requirements: UPPER case letters Lower case letters Numbers 0 through 9 Special characters ! @ # $ % ^ & * ( ) { } |

Password Management : 

Password Management It is recommended you use a favorite quotation, phrase, sentence, or movie title mixed with the password requirements. Examples: PleaseLetMeIn! C@nNotW@1tToGoHome M@rriedWithChildern2 CowboyW@y!

Malicious Code : 

Malicious Code What is malicious code? It is software that interferes with the normal operation of your computer. It usually executes without your knowledge or consent, and sometimes it even damages or disables your computer. Malicious code includes viruses, trojans, worms and spyware.

Malicious Code : 

Malicious Code Malicious code is frequently transferred by Email - To protect yourself, DO NOT open attachments or click on any links that appear suspicious or are unexpected. Unauthorized Downloads – unauthorized downloads are prohibited by policy to prevent malicious code problems.

Malicious Code : 

Malicious Code Malicious code is frequently transferred by Peer-to-Peer file sharing – also prohibited; this type of sharing is notorious for spreading malicious code. (Limewire, Morpheus, BitTorrent, Napster, PC Anywhere, BearShare, Emule, Edonkey, etc….) Copyright Laws– Always respect the intellectual property rights of others and do not make illegal copies of software, music, graphic or other files.

Spyware : 

Spyware Spyware is malicious code that gets installed on your computer when you surf certain websites. It can track your surfing habits, steal your passwords, and highjack your browser settings.

Spyware : 

Spyware Suspect that you might have Spyware problems when: Your computer is abnormally sluggish Endless pop-ups appear You’re redirected to other websites Unexpected toolbars appear Your home page changes

Spyware : 

Spyware How do you prevent Spyware? Avoid clicking on links in pop-up windows When pop-ups do appear, close them from the taskbar Be sure to read any user agreements carefully so that you don’t unknowingly agree to allow Spyware to be installed. Avoid seemingly “Free” offers for Anti-Spyware software, contests, vacations, gift cards, or coupons.

Social Engineering : 

Social Engineering In a social engineering attack, an attacker uses human interaction or social skills to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.

Social Engineering : 

Social Engineering Social Engineering is the greatest security threat facing organizations. If successful, Social Engineers could gain access to information systems, gain access to facilities, steal another persons identity – and even steal your identity. You can be Social Engineered over the phone, over your computer, and you can be Social Engineered in person.

Social Engineering : 

Social Engineering What can you do to avoid being a victim of Social Engineering? Verify the identity of the person you are speaking to. Ask for identification as necessary. Verify on a “need to know” basis Share only necessary information When in doubt, refer the person to your supervisor.

Phishing : 

Phishing Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

Phishing : 

Phishing Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as: Natural disasters (e.g., Hurricane Katrina, Indonesia tsunami) Epidemics and health scares (e.g., H1N1) Economic concerns (e.g., IRS scams) Major political elections Holidays

Phishing : 

Phishing How do you avoid being a victim? Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information. Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes clicking on links sent in the email.

Phishing : 

Phishing How do you avoid being a victim? Don't send sensitive information over the Internet before checking a website's security Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.

Phishing : 

Phishing What do you do if you think you are a victim? If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity. If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account. Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future. Watch for other signs of identity theft

Portable Devices : 

Portable Devices Portable devices include laptops, USB drives, PDAs and Blackberries. Portable devices are high security risks because: They are portable, and can be easily lost or stolen Once stolen, they give thieves an unlimited amount of time to break into the device They allow unprotected data to be easily compromised They can be subject to shoulder surfing when used in public places.

Portable Devices : 

Portable Devices How do you physically secure portable devices? You can keep portable devices with you at all times, and use locking security cables when not with you. Store them under LOCK & KEY when not in use. Be very cautious when using them in public places Immediately report a lost or stolen device to your supervisor and IRT.

Portable Devices : 

Portable Devices How do you protect data stored on portable devices? If the device supports them, use passwords to log-in Laptops - save important and sensitive data to a network drive, not the on the local hard drive. Store confidential and sensitive information on portable devices only if it is absolutely necessary. Devices storing confidential and sensitive information must be encrypted. Remember, you are responsible for any data you store on a portable device!

Individual Accountability : 

Individual Accountability User ID Each of us has been assigned a unique ID to access agency information. You are accountable for what occurs under your user ID. You should understand that you are monitored for activity associated with your user ID. Monitoring includes, but is not limited too: When you log in When you access files All your activity on the internet When you use your building key card for physical access.

Individual Accountability : 

Individual Accountability Information Security Each one of us is responsible for the safety and security of the information we work with. Ensure that information is always handled securely as appropriate to the security category or sensitivity of the information.

Individual Accountability : 

Individual Accountability Information Security Be aware of where you are and handle information accordingly: Be sure your conversations cannot be overheard Applications accessing sensitive information automatically log users off after a period of inactivity. This helps protect against unauthorized disclosure of sensitive information. However, you are still responsible for locking your computer before you step away.

Individual Accountability : 

Individual Accountability Information Security Be aware that files stored on the local hard drive are not backed up. Only files stored on network drives are backed up. To protect files from loss, you must store files on the network drives for proper backup and recovery.

Individual Accountability : 

Individual Accountability Information Security Each of us is responsible for protecting agency assets. Assets include: Personal computers Laptops and portable devices Your user ID Passwords Any sensitive information you have access to

Incident Reporting : 

Incident Reporting What are incidents? Incidents are events or activities that compromise equipment, systems, or information. What activities should you report? Activities that should be reported immediately include: unauthorized use of a computer, suspected tampering with files or data, disclosure of sensitive information, unusual computer activity or issues Suspicious emails

Incident Reporting : 

Incident Reporting Report incidents to: IRT Helpdesk at: (785) 296-8770 or helpdesk@kda.ks.gov

Slide 34: 

Questions?