1 / 38

Minimum Cyber-Security Requirements: What You Need To Know

Minimum Cyber-Security Requirements: What You Need To Know. What is Information Security and Why Do We Need It?. Why do we need information security. In the digital world we trust insecure data from unauthenticated sources. WHAT?!?. Lets break that down a bit. Definitions First

dorian-bird
Download Presentation

Minimum Cyber-Security Requirements: What You Need To Know

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Minimum Cyber-Security Requirements: What You Need To Know

  2. What is Information Security and Why Do We Need It?

  3. Why do we need information security • In the digital world we trust insecure data from unauthenticated sources. WHAT?!?

  4. Lets break that down a bit • Definitions First • Data – electronically stored information * • Authenticated vs. Unauthenticated – Do you know who or what they are? Are you sure? • Firewall – a security system that uses hardware and/or software mechanisms to prevent unauthorized users from accessing an organization’s internal computer network. • Malicious Software – software used or programmed by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. This Includes spyware, adware, viruses and general malware. • Software Patches – software that correct a problem.

  5. Aren’t Computers Protecting Us? • In the digital world we trust insecure data from unauthenticated sources. Requests http://www.tdbank.com Server Returns TDBank Homepage User Submits Logon Information Server Account Information

  6. Requests http://www.tdbank.com Requests http://www.tdbank.com Hacker Returns TDBank Homepage Server Returns TDBank Homepage User Submits Logon Information Hacker Submits Logon Information Hacker Returns Error Page

  7. This will never happen to me…. • Political Espionage • Retaliation • Internal Threats • Just Because I Can • Financial Gain

  8. Still don’t believe me?

  9. Still don’t believe me?

  10. Still don’t believe me?

  11. So what do we do? • Good Policy • Best of Breed Technology Solutions • Staff and End User Education What everyone should do! Make sure computers used to do bank transactions are not used for any other Internet work – like email or browsing.

  12. Best Practices for a Cyber Security Policy

  13. Establishan IT Cyber Security Policy • Put someone in charge to develop and implement plans and policies • Develop a cyber security plan (many examples can be found online) • Promote and increase the awareness and training of cyber security and user understanding of risks and risk behavior • Communicate the responsibilities for the organization and individual users’ protection of information; • Be aware of regulations regarding the protection of information. • Establish communication procedures • Everyone needs top knows what, how and to whom to report a cyber security incident or problem.

  14. The plan should also… • Identify threats, vulnerabilities and consequences and take appropriate action to mitigate and prevent them; • Includes password policies (strength and updating) • Prepare for the inevitable – COOP and COG: Continuity of Operations and Continuity of Government • Disaster recovery, including protecting the availability and recoverability of the organization’s information services and missions • Ensure a hardware and software asset inventory is maintained 

  15. An unprotected computer is one that does not:(or What all your computers need to do) • …Have antivirus or spyware protection software installed and updated regularly • …Have installed hardware or software firewall to manage communications between and among networks • …Require the user to authenticate (using a password or a token) when logging on • …Have operating system and software patches installed and regularly updated

  16. POLL QUESTION!

  17. How to Protect your Computing Environment

  18. Protect Your Border • Use a strong firewall • What is a firewall? A system (software or hardware or both) designed to prevent unauthorized access to or from a private network. • US Border Patrol = Firewall • Gateway - something that serves as an entrance or a means of access. • US Customs Border Crossing = Gateway

  19. What Comes Through the Border? • Email • Websites • File transfers • DATA!!! • Is it good or bad data?

  20. Is the Data OK? • Emails are scanned in the same way our border patrol looks at suspicious vehicles or people doing not normal things (i.e., profiling) • Viruses have signatures that behave in certain matters. Variants – little changes that behave a little differently but overall have the same profile.

  21. Is the Data OK? • Spam is the scanned much the same way a virus is detected: Behavior • Behavior could be an attachment type of file; i.e., zip, exe, or bat file. • Words or suspicious and known URL links that appear in an email. • This is possible why a good email is flagged bad because of possible suspicious behavior.

  22. Where is Your Protection? • Cloud protection • First goes into 3rd party system, is scanned then forwarded to your system • Software gateway scanning – harder to manage but effective and easy control • Hardware Devices – Barracuda, Watchguard, Sonic Wall. etc. – can be costly but some work with cloud to continue updates.

  23. You are Always the Last Line of Defense • Other analogy of data request • Web request = ordering a package from outside US. • Goes through okay undetected…..(may still contain a virus) • Delivery comes your house (equivalent to your PC) • Houses have security systems, computers have them to: referred to “endpoint security.” Even though a package is delivered, it gets scanned again at delivery.

  24. Is Any of this 100% • None of the security systems are 100% perfect since threats are always evolving • If you say it’s okay to release, if it’s okay to come through, it still may not be safe • Behavior on types of viruses and intrusion are the cornerstone on stopping DDOS, bank theft, and multiple variant viruses such as key loggers • Keep updated and do what is updated the most easily for simple distribution in your environment

  25. QUIZ TIME

  26. End User Education – The Best Defense

  27. STOP & THINK! • Always be suspicious – look for red flags • If a stranger came to your door and informs you he is from your bank and would like to verify a few items with you and proceeds to ask you your name, social security number and date of birth what would you do? • Why is an email any different?

  28. For example: • You receive an email at work from a bank that you do not do business with asking for you to click on the attachment to verify information. • 9 out of 10 times you will click on the link, thinking it’s work related. • How is this different than someone showing up at your door?

  29. Don’t Assume that an Attachment is Safe • Did you look up contact information to verify that this is a legitimate bank? • Inspect the link in the email to see if it looks real or fake. • Did you call the bank to see if they sent the email out? • Did you seek help from your technology staff? • Is this necessary? • YES! Better to be safe than loose all your data, or worse yet comprise your entire networks data

  30. Don’t Assume that a Link in an Email or Website is Safe! • Don’t click on links from inside emails • In all cases involving security or banking information: • Look for web addresses with “https://” or “shttp://”, the “s” means the site takes extra measures to help secure your information. • “http://” is not secure. • Only go to trusted websites • Make sure the site is legitimate: Before entering any information look for signs that the site is secure. • Look for a closed padlock on your web browser’s address bar • Never use unsecured wireless networks to make an online purchase • Protect your $$: • When banking and shopping, check to be sure the sites is security enabled.

  31. It Isn’t Just a Mouse Click • Attackers may attempt to gather information by sending emails requesting that you confirm purchase or account information. • Legitimate businesses will not solicit this type of information through email. Contact the merchant directly if you are alerted to a problem. • Use contact information found on your account statement, not in the email.

  32. You Must Outsmart the Attackers • How? • By stopping and thinking before you click • Ensure your computer has antivirus software and it is up to date. Reminder to renew your antivirus when it is expired • Verify your anti virus is running and doing scans. Check the logs after a scan. • Verifying that an email was sent with an attachment by the sender • Train your technical staff; train your users • Make sure your contractors meet these standards

  33. You Must Outsmart the Attackers • Use strong passwords, do not use names, date of births, etc. • If you’re in doubt, then don’t click on it • Turn your computer off or lock it when not in use • Keep your operating system updates up to date • Don’t go to untrusted sites • Scan your computers for spyware or malware weekly

  34. Some Resources • www.njgmis.org • www.gmis.org • www.cisecurity.org • www.stopthinkconnect.org • msisac.cisecurity.org • msisac.cisecurity.org/resources/toolkit/oct13/index.cfm Articles based on an extended version of this presentation will be in upcoming issues of New Jersey Municipalities Magazine.

  35. GMIS-NJis the League’s Official Technology Management Support Organization CGCIO Program at Rutgers: http://spaa.newark.rutgers.edu/cgcio Contact Us (732) 734-1805 www.njgmis.org njgmis@njgmis.org

  36. GMIS-NJ’s AnnualTechnologyEducationConference March 27th 2014 “The Palace” in Somerset(Franklin Township) Registration information at: www.njgmis.org/conference.html njgmis@njgmis.org

  37. Contact Information Marc Pfeiffer PfeifferGov, LLC Pfeiffer.Gov@gmail.com Robert McQueen Certified Government CIO Chief Information Officer Princeton, NJ rmcqueen@princetonnj.gov Justin Heyman Certified Government CIO Director of Information Technology Township of Franklin, NJ Justin.Heyman@twp.franklin.nj.us Todd Costello Director of MIS Township of Middletown, NJ tcostell@middletownnj.org

More Related