390 likes | 403 Views
Information Security Awareness Programme. Information Security & Governance AIA Singapore. Version 1.0 Nov 2018. Information Security Awareness. Phishing and Social Engineering Human Firewall Staying Secure Online Secure Passwords Information on the Internet Working Remotely
E N D
Information Security Awareness Programme Information Security & Governance AIA Singapore Version 1.0 Nov 2018
Information Security Awareness • Phishing and Social Engineering • Human Firewall • Staying Secure Online • Secure Passwords • Information on the Internet • Working Remotely • Data Protection & Destruction • Escalation of Cybersecurity Incidents
01 Phishing and Social Engineering
Phishing and Social Engineering • Phishing is one of the most common forms of social engineering attack that targets on humans. • ‘Social engineering’ refers to the psychological manipulation of human behavior • Human Emotions like curiosity, fear, and greed are exploited by hackers to achieve their goals
Phishing and Social Engineering • Hackers use phishing to take control of your information, steal personal identity, or gain access to the company’s networks, systems, applications and data. • Attackers may launch phishing via email, SMS, Instant Messaging, etc.. • Some phishing attempts are easy to spot whilst others – like email messages that claim to be from your bank or someone you know – are much harder to detect. • Mainly, phishing emails will try to get you to: • Click on a link to a malicious website • Open a malicious attachment that contains malware • Provide sensitive information, like account password
Phishing and Social Engineering SingHealth Data Breach Incident (Jul 2018) • Phishing was reportedly used as a tool to gain access to a front-end workstation at SGH, which provided the entry point to the entire healthcare network • Staff using that workstation downloaded file from the phishing email, introducing malware to the workstation • Malware that came with phishing email was customised and tailored to target SingHeath’s IT systems - “Measures to boost staff awareness of cybersecurity”, Straits Times Online, 6 Nov 2018
Phishing and Social Engineering 1. Thomas receives phishing email Thomas Tan Operations Executive, AJA Insurer Pte Ltd. AJA INSURER STAFF REWARDS 2. Thomas clicks the URL Thomas fills in form with his AJA user and password credentials Thomas downloads the attachment
Phishing and Social Engineering 8. Threat actor downloads staff, agents and customer data from AJA’s servers AJA Insurer’s • Policy admin system • Agents database • CRM system • HR Management system Attachment triggers installation of malware in Thomas’ workstation, giving threat actor remote access into the workstation Thomas’ workstation 7. Threat actor gains access into AJA’s core application servers! 6. Threat actor accesses workstation and takes full control of it
Phishing and Social Engineering • Tell-tale Signs of Suspicious Email Email claims to be from AIA but is from a suspicious “look-alike” domain “Free gift” if in-doubt user can check with helpdesk Grammatical error The email purported to have been issued by HR, yet there wasn’t any HR signature or sign off Hover over the link shows http://aia-vit.com/aif2ed6e253/2fd580d3c35b1c33e2cb615f/index.php?id=d834a17ef09b9ca, it is non-AIA domain
Phishing and Social Engineering • Tell-tale Signs of Suspicious SMS
Phishing and Social Engineering • Phishing Prevention • Be suspicious of unexpected emails and messages • Be suspicious of emails and messages from unknown senders • Be suspicious of any links • Never open unexpected attachments • Only send and reply to relevant parties • If in doubt, verify with the sender to ensure the email or message is legitimate
02 Human Firewall
Human Firewall • Hackers often need to trick individuals into divulging important information. • Humans are the weakest link in the chain of security, and hence number one target of attackers.
Human Firewall • Examples of attacks: • E.g. Sending you a fake email with a bad link/attachment inside it to compromise the network access is easier for attackers than trying to hack into corporate network from outside through other means. • E.g. Attacker targets an individual on social media or other web sites, by using the shared information to customize their email attacks to seem more real.
Human Firewall • Prevention: • Associate yourselves as part of the defense of your organization’s information technology systems, and ultimately of the defense of AIA’s information • Take a moment to think through any and all social interactions: • Is the question that person on the phone asking you appropriate/a normal thing to ask? • Is the email that you just received from a coworker official/does something seem “off” about it? • Is your computer slower than normal? • Do you know the real identity of those you relate to on social media and Internet websites? • Are you aware and conscious of the information you share on social media and Internet websites?
03 Staying Secure Online
Staying Secure Online • Nowadays, virtually everyone and everything is online. • As we all become more connected, online attacks are a constant threat. • E.g. Malware can be infected by opening an attachment in email, or by visiting a website that automatically downloads malicious software onto your computer
Staying Secure Online • Have an awareness, and follow these easy steps to stay safe online • Use different passwords for different sites • Use a trusted password manager to help create strong passwords and keep track of credentials for different sites • Keep browser and plugins updated • Once in a while, you may see web browser update notifications • Use secure browser settings • Find the security settings of the browser you use and set security level between Medium and High • Learn to recognize normal browser behavior • Abnormal browser behaviors includes: • Running slower than usual • Takes you to sites you did not request or do not recognize
Staying Secure Online • Learn about error messages • Hits that something is wrong with your browser or the site you are visiting • Trust warnings, script errors, and certificate errors • Always log out • Click logout button every time you are done using online services • Know how information can be used against you • Be careful when providing personal details online • Disabled saved forms (E.g. auto-filling login password) • Malicious software can gain access to your sensitive data • Disable flash and java • Disabling these browser extensions/plugins helps to eliminate the security threats.
04 Secure Passwords
Secure Passwords • Creating Strong and Unique Passwords • Do NOT: • Create simple single word passwords • E.g. P@55w0rd • Use the same password between systems or sites • Use keyboard sequences • Do: • Try to create a password that is 12 characters or more in length • Ensure password contains both upper and lower case letters
Secure Passwords • Creating and Remembering a strong password: • Mnemonic Phrases: E.g. • llttlsoMB@s5 • Short for the phrase “I love to take long strolls on Mexican Beaches at sunset” • Dan1tm!lltaal • Short for the phrase “Dogs are number 1 to me! I like them all a lot.” • Pass Phrases: E.g. • D0gsbark@mailmen! • Use Password Management Application
05 Information on the Internet
Information on the Internet • Attackers can use the personal information that we share on the Internet against us. • Full Name, Birthday, Hometown, location information, past jobs, etc. • E.g. The answer to the security question to protect your account when you register an online Login ID can easily be revealed via the information you share on social networking sites like Facebook.
Information on the Internet • Protection: • Put careful thought behind the information we share online • Both personal details and • What we say and post online that can affect our security and privacy. • E.g. Does everyone really need to know that you cannot possibly be at home? • Only share the information that is absolutely necessary for your needs online. • Restrict the visibility of what you share to only those people you know and trust personally.
06 Working Remotely
Working Remotely • Nowadays, even with all the security controls in place, it could be easy for an attacker to hijack your network connection at some public locations and intercept your communications.
Working Remotely • When working in a public place • Dos • Sit at a seat where your back is against the wall of the establishment • Never leave any of your devices unattended • Keep all security controls up-to-date, and in place • Any required security software is in place and up to date (E.g. antivirus software) • Browse only secured websites, those sites start with https • Keep the Browsers and Operation Systems up to date • Think about what type of work you’re doing when in public spaces • Ask yourself: is this really a good location to do work? • Is the five minutes of work you will get done worth the risk of working at a certain location?
Working Remotely • Securing your home WIFI • Ensure your wireless router at home is using: • WPA2 encryption and • Strong wireless password
07 Data Protection & Destruction
Data Protection & Destruction • Data Classification in AIA • Highly Confidential • Highly sensitive and will have a material impact on AIA’s financial performance, share price, brand reputation, etc. in the event of unauthorized disclosure • Access/use is granted strictly on a need-to-know basis and limited to named users only • E.g. Personally Identifiable Information (PII), Price sensitive information (PSI), Trade secrets, etc. • Confidential • Sensitive and will have a significant impact on AIA’s financial performance, brand reputation in the event of unauthorized disclosure • Access/use is restricted to a specific group of persons to perform necessary business operational activities only • E.g. Business strategies, New product development, marketing plans, Computer program source code developed in-house, etc. This section describes AIA’s data classification. While your organization may have your own internal data classification standards for data, please ensure you understand and comply to AIA’s standard while handling AIA’s data
Data Protection & Destruction • Restricted • Less sensitive with limited or insignificant impact on AIA’s financial performance or brand reputation in the event of unauthorized disclosure • Access/use is intended for daily operations and is restricted for internal user only • E.g. Company policies, standards and procedures, Approved supplier list, Market or product research, etc. • Public • Disclosure of information does not pose a risk to security of physical or information resources • Information is publicly available and can be disclosed or shared with the public • E.g. Brochures, Advertisements, Website Information, Press Releases, etc.
Data Protection & Destruction • How to handle sensitive data: • Do not disclose/upload AIA Restricted, Confidential and Highly Confidential information to any external website/social media. • Encrypt email attachments that contain sensitive data (e.g. Microsoft Excel files, PDF documents). The encryption password must be distributed to the recipients separately (don’t put the password in the same email, best is to call the recipient with the password). • Encrypt your laptop and encrypt files on your desktop, and especially files copied to portable media (thumb drives, portable hard discs, CD/DVDs, etc.). • Use software to securelyerase sensitive data before disposal of device/allow anyone else to use the device. • Physically destroy documents and devices with sensitive information. E.g. Shred paper documents, crush magnetic media (after secure erase)
Data Protection & Destruction • Would like to find out more? • Data Loss Protection on Laptop/Desktop/Mobile Devices: • Install anti-virus software and keep its definitions up to date • Perform periodic full scan on system files and folders • Install latest security patches for software and Operating System • Install and enable software with remote wipe capability • Do not jail-break or root mobile devices that processes or store AIA data • Enable device password on mobile devices and change the password periodically
08 Escalation of Cybersecurity Incidents
Escalation of Cybersecurity Incidents Importance of Timely Escalation Case in point - SingHealth data breach incident (2018): • Mid Jun:Despite signs of unauthorized accesses to the SCM DB, SingHealth’s vendor (IHiS) staff were not aware that a cybersecurity incident had occurred • 4 Jul: Data breach incident was discovered • 9 Jul:IHiS staff escalated to their own senior management • 10 Jul: IHiS informed SingHealth and Cyber Security Agency (CSA) of cyber attack Repercussion: Both SingHealth and IHiS breached the Cybersecurity Act, which requires CSA to be notified within 2 hours of a relevant cybersecurity incident 1 month of delay In escalation
Escalation of Cybersecurity Incidents AIA looks to its vendors and their sub-contractors to: • Put in place robust monitoring to detect unusual cyber activities and suspected data breaches, for systems and infrastructure that involve handling and processing of AIA data • Notify your business contact person(s) in AIA as soon as possible, or within the stipulated SLA, whenever an actual cyber attack has taken place affecting AIA’s data
I acknowledge that I have read and understood the Information Security Awareness Programme. Signature: Name: Hazel Ong Date: 11 January 2019