WELCOME

WHAT AND WHY

• Everyone is key
• We’re in this together
• This is important because it’s everywhere
• Let me know how I can better help you
WHAT COULD POSSIBLY HAPPEN?

• It starts with a suspicious email

• Then one thing leads to another
• Eventually ends with time and money lost
ACCOUNTABILITY
HOW YOU CAN HELP

DON’T LET CURIOSITY GET THE

DON’T BE ASHAMED
BEST OF YOU
• Any of us can be fooled • There are many things that can go
• Even I’ve been hit wrong and not a lot of things that
can go right
HOW YOU CAN HELP

OPEN THE LINES OF KEEP YOUR DESK CLEAR AND

COMMUNICATION
• Have a good rapport with someone
• Future security events will be that
much easier
COMPUTER LOCKED
• Keep the pranksters honest
• Stifle nosy neighbors
• Lock that computer
• Win: CTRL + ALT + DEL or Win + L
• Mac: CTRL + ⌘ + Q
MALICIOUS EMAILS
ABOUT YOUR FRIEND, SPAM PROTECTION

• Spam amounts to roughly 90% of ALL mail

• Your spam filter works but won’t catch them all
• Email is easy to spoof
• Don’t respond to spam
PHISHING DEFENSE

• Everyone gets hit with phishing attacks

• There are a few red flags to look out for
• If you have questions contact the company directly, ask your IT Department, or
check trusted online sources
PHISHING EXAMPLE

• This Microsoft example is a good one: https://www.microsoft.com/en-

us/safety/online-privacy/phishing-symptoms.aspx
MALICIOUS EMAIL EXAMPLE

• Dangerous Google Doc example: https://arstechnica.com/information-

technology/2017/05/dont-trust-oauth-why-the-google-docs-worm-was-so-
convincing/
• Google’s response to the attack:
https://twitter.com/googledocs/status/859878989250215937
SOCIAL ENGINEERING
WHAT IS SOCIAL ENGINEERING?

• Practice of tricking your to divulge something

• How would you know if you’re being hit?
• Look out for attacks in person:
• Tailgating
• Shoulder surfing
• Conversation
WHAT IS SOCIAL ENGINEERING?

• Look out for attacks on the computer:

• Phishing
• Tech support scams: https://www.consumer.ftc.gov/articles/0346-tech-support-scams
• Social media

• Look out for attacks on the phone:

• Smishing
• Vishing

• Help your co-workers!

SOCIAL ENGINEERING DEFENSE

• Social engineering = Person unknown + Needs something now + or else

SOCIAL ENGINEERING EXAMPLE

• What password? We don’t need a password

• That secret questions isn’t so secret, is it?
DATA HANDLING
TRANSMITTING DATA

• The common expression: https://en.wikipedia.org/wiki/Loose_lips_sink_ships

• Leakage could be accidental
• Which information is harmless and which is important?
KEEPING CONTROL OF DATA

• People have different access levels

• Make it just a bit harder to snoop
USE OF CLOUD STORAGE
OVERVIEW OF PROTECTED DATA SETS

• Regulated data is protected by governing bodies

• Important to understand this exists so you know what to do with information
• Not necessary to know everything about it
OVERVIEW OF PROTECTED DATA SETS
PASSWORDS
IMPORTANCE OF GOOD PASSWORDS
IMPORTANCE OF GOOD PASSWORDS

• Passwords can be hard to come up with and even harder to remember

• Passwords are unfortunately the last bit of security in most cases
• Predictable passwords are easier to crack than you think
• Study on most common passwords:
https://blog.keepersecurity.com/2017/01/13/most-common-passwords-of-
2016-research-study/
PASSWORD BEST PRACTICES

• User friendly
• Don’t make it easy to guess or predict based on behavior
• Longer is better but don’t worry too much about crazy complexity
ALL ABOUT SECURITY QUESTIONS

• Sounds secure but knowledge based authentication turns out to be weak

• Don’t create security answers that are easy to figure out with basic research
• The more you can throw off the better
SAFE BROWSING
ADS AND SPONSORED CONTENT

• Information doesn’t have to be true to be published

• Sponsored content is designed to make advertising money from clicks
• Not all ads are malicious but there is certainly no shortage of bad ads
ADS AND SPONSORED CONTENT
TYPOSQUATTING AND MALICIOUS WEBSITES

• Anyone can buy a domain and hosting

• Watch what you type and search!
• Bookmark when you can
TYPOSQUATTING AND MALICIOUS WEBSITES

• Example of people buying website

names to capitalize on one of the
biggest breaches in the US
• The words aren’t misspelled but the
order is wrong
• The correct site was
equifaxsecurity2017.com
DANGEROUS SEARCHES AND SCAMS

• Bad people love to ride buzz and viral traffic

• Trending people can be a source of phishing attempts and malware delivery
• Social Media is a big part of it too
• Fake accounts
DANGEROUS SEARCHES AND SCAMS

• Be careful what you search and who you talk to. You may be in for a surprise!
MOBILE DEVICES
APP SAFETY ON ANDROID AND IOS

• Beware of counterfeit mobile apps

• Bad apps can be published to Apple App Store and Google Play Store
• Do a quick run through to see if app is legitimate
USING PUBLIC WI-FI

• Anyone can potentially see your traffic

• Refrain from doing critical work or personal stuff on public networks
• Limit to general browsing
• If you do have to connect, make sure you see HTTPS in the address bar
YOUR PERSONAL DEVICES IN THE WORKPLACE

• Even with a personal device you’re still incumbent to resource and network
usage policies
• Could usage of your personal device raise privacy concerns?
RANSOMWARE
ABOUT RANSOMWARE AND HOW IT SPREADS

• Ransomware is a nasty piece of malware that locks your computer or the files
within
• Distributed the same way as regular malware
ABOUT RANSOMWARE AND HOW IT SPREADS

• Sample of older style ransomware

• Not the first but still early
• Fake FBI message
WHAT IF YOU GET HIT WITH RANSOMWARE?

• Think very hard if you need to

• Paying does not guarantee release of files or future attacks
• Paying funds this business model
RANSOMWARE DEFENSE

• Modern antivirus software can detect most ransomware variants

• Make backups!!!!
• Be careful with links and files in emails
WHAT DO YOU SEE?
IF YOU SEE SOMETHING SAY SOMETHING

• There are a few ways that can raise red flags

• Just because your computer is slow or the Internet is down doesn’t necessarily mean you’re
under attack

• If you think you’ve been hit, let your IT helpdesk or security office know
• If you’ve been hit at home, use the FTC’s resource at
https://www.identitytheft.gov
• If you think you’ve revealed info about your organization, report it
THANKS FOR JOINING!

• Let me know how I can help

•