400 likes | 648 Views
Welcome to CyberSecurity Annual User Awareness Refresher Training. 1. 2. What is Cybersecurity?. Cybersecurity is the practice of protecting computer systems and networks including the data the from: 1 Lost 2 Disclosed 3 Modified
E N D
Welcome to CyberSecurity Annual User Awareness Refresher Training 1 2
What is Cybersecurity? • Cybersecurity is the practice of protecting computer systems and networks including the data the from: • 1Lost • 2Disclosed • 3Modified • 4Battelle’s CyberSecurity Protection Program within our Information Management department is chartered with protecting Battelle's: • Information5 • Systems6 • Computers7 • Networks8 • 9Technology alone cannot provided adequate protection. • 10Information Technology systems and data compromises are at an all time high, due to: • 11Increasing use of computers and the Internet • 12More prevalent “Zero Day10” exploits • 13Advanced sophistication and resources of hackers (e.g. organized crime, nation states) • 14Battelle is specifically targeted because we are a major government contractor.
What is Cybersecurity? Home15 Office16 Another Location17 18Be Smart, Safe, and Secure, because this is our Battelle.
Safeguarding Information and Data | Overview • 1You are responsible for: • 2Assigned computing devices • 3Software • 4Passwords • 5SecurID tokens • 6PINs • 7Certificates 6 7 4 5 2 3 In this section, you will learn about Battelle’s principles and techniques of information protection. You will also learn about removable media storage guidelines, sensitive information categories and reporting requirements.
1 Safequarding Information and Data |The Principles of Least Privilege All staff members should apply the Principle of Least Privilege when granting access to sensitive information. “you give an entity the least amount of access it needs to do its job and nothing else. In this definition, an entity can be a person, computer, or anything on the network.” 2 5 3 4
1 Safequarding Information and Data |The Principles of Least Privilege All staff members should apply the Principle of Least Privilege when granting access to sensitive information. 5 6
1 Safeguarding Information and Data |Personal Computing Devices Battelle staff members and contractors may have camera enabled devices in their possession in general access areas at all Battelle locations. • 1Use of a camera enabled device must be consistent with Battelle Policy 1.4 and staff and contractors are responsible to ensure: • 2The proper usage of the device and approved areas for use are understood • 3The area around the camera field of view is visually checked to ensure no Business Sensitive, Strictly Private, proprietary, or otherwise client related material is in the background of the shot • 4The pictures are not posted on any external social networking sites
1 Safeguarding Information and Data | Personal Computing Devices Battelle staff members and contractors may have camera enabled devices in their possession in general access areas at all Battelle locations. • 1Use of a camera enabled device must be consistent with Battelle Policy 1.4 and staff and contractors are responsible to ensure: • 2The proper usage of the device and approved areas for use are understood • 3The area around the camera field of view is visually checked to ensure no Business Sensitive, Strictly Private, proprietary, or otherwise client related material is in the background of the shot • 4The pictures are not posted on any external social networking sites
Safeguarding Information and Data| Removable Storage 1Removable Media represents one of the largest threats to sensitive information. Thumb Drives CD’s/DVD’s Diskettes External Hard Drives Backup Tapes MP3 Players • Be extremely careful when using removable media to transport sensitive information outside of Battelle. • Do so only if you must have it for work at home or while on travell.9 • Take only the minimum information needed.10 • When disposing of the device, return it to Battelle for proper disposal or sanitizing. Caution! Simply deleting the information does not remove it. Rather, the device must be sanitized by overwriting a number of times. Contact the IM Service Desk for assistance in sanitizing devices.11 • Maintain positive control of the device at all times.12 • If any device containing Battelle or client sensitive information is lost or stolen, it must be reported immediately to the IM Service Desk. • 13NEVER remove Government Classified or Government Sensitive information from Battelle on a laptop or a removable storage device.
Safeguarding Information and Data| Sensitive Information Categories • Sensitive information categories include. • Government Classified3 • Export Controlled Information4 • Business Sensitive or Strictly Private5 • Sensitive Information6 • Click on each category for more information.
Roll Over Government Classified Top Secret, Secret, Confidential, and other categories of government classified information require specialized security measures and are not approved for storage in IM systems, e-mail servers, file servers, SharePoint sites, or PC hard drives. Contact Battelle Government Security or your local Facility Security Officer with questions concerning safeguards for classified information or to report the loss, compromise, or suspected compromise of classified information. The proper reporting telephone numbers can be found on the CyberSecurity Contact List.
Roll Over Government Sensitive Information Certain information is designated by government agencies as sensitive but unclassified. Common acronyms include FOUO (For Official Use Only) and SSI (Sensitive Security Information). There are over 50 designators for this category of information. The specific acronym and the safeguarding requirements are usually client and contract specific. Contact Battelle Government Security or your local Facility Security Officer for information on safeguarding Sensitive But Unclassified information or to report a loss or compromise.
Roll Over Export Controlled Information The Department of State and Department of Commerce categorize certain information and technology as being Export Controlled. The transmission of Export Controlled information or technology outside of the United States or to foreign persons or entities within the United States requires a license and must be in strict compliance with applicable export control laws and regulations. Battelle is required to implement special security safeguards for export controlled information and technology in our control. The Export Compliance Guide and the Technology Control Plan describe export restrictions, access controls, and safeguards for export controlled information. References to these documents can be found in the CyberSecurity Contact List. There is an Export Control Manager assigned to each product line. For questions about whether information you are working with is export controlled, contact your Export Control Manager. Contact Legal Services for questions on export licensing or to report any export violation or compromise.
Roll Over Business Sensitive or Strictly Private Such information is generally not releasable to the public and must be safeguarded at all times. The Total Information Protection (TIP) program describes the security measures required for Business Sensitive information and can be found in SBMS. Contact Battelle Government Security or your local Facility Security Officer for more information on safeguarding Business Sensitive information or to report a loss or compromise.
Safeguarding Information and Data | Information Protection Techniques 1Appropriate security techniques must be used to protect business information in electronic form when transmitting over public networks including telephones and Internet, or transporting outside of Battelle on any digital media (hard drives, diskettes, CD/DVDs, Zip drives, thumb drives, or other storage devices. 2The following techniques can be used to protect information and data: Metadata Removal3 Encrypting Sensitive Information4 Secure File Transfer5 Compliance Data6 Click on each Technique for more information. *Metadata is the term describing embedded hidden data within Microsoft Office products Iron Key is the preferred thumb drive Battelle staff should use. Thumb Drives Hard Drives CD/DVD Western Digital Passports
Roll Over Metadata Removal Metadata is embedded hidden data, for example, review comments, un-resolved tracked changes (added and deleted text), author’s names, and more. It is Battelle’s best practice not to share or transmit Microsoft Office Word, Excel, or PowerPoint files to non Battelle entities or individuals without first removing all potentially embarrassing or damaging Metadata unless the external users need to see the metadata (e.g., Tracked Changes and Comments for collaboration reasons). Failure to remove certain types of metadata could be embarrassing, or worse yet, damaging to Battelle. Refer to the CyberSecurity web page for more information on tools to remove meta-data. **Office 2007 has built in Metadata cleaning tool.
Roll Over Encrypting Sensitive Information Exercise caution when sending sensitive information outside of Battelle via the Internet. It is especially dangerous to include sensitive information in e-mail messages, because e-mail may be stored in unencrypted form on multiple e-mail servers outside of Battelle. Information Management has implemented an encrypted Secure File Transfer application (FX) to securely transmit large data files over the Internet. Commercial encryption software is available for hard drives, folders, or individual files. Contact IM for recommendations.
Roll Over Secure File Transfer The Battelle File Exchange service available at fx.battelle.org provides the secure transfer of large files, up to 1GB, over the Internet as an alternative to email and other traditional methods, such as File Transfer Protocol (FTP). FX can be used by all Battelle staff to exchange files between staff and/or external recipients. FX may be used by contractors, clients and partners to exchange files with Battelle staff. Caution: FX is NOT APPROVED for government classified information.
Roll Over • If dealiComplianceDatang with credit card (PCI) or Personally Identifiable Information (PII), please see Information Management to ensure standards are followed. • Personal Identifiable Information data (PII)Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. • Payment Card Industry Data (PCI)Is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands. • Note: Both types of data need to be protected and requires Information Management to be notified to ensure compliance and appropriate controls are in place to protect the information.
Safeguarding your PC at Battelle • 1You have just learned about the primary principles and techniques that Battelle uses to protect information and data. • 2Assigned computing devices (including software and data) • 3 Use of appropriate security measure commensurate with the value of data and equipment to ensure • 4Device is not stolen • 5Data is not lost or corrupted, used in unauthorized ways, or available to unauthorized persons • All Battelle laptops are required to be encrypted with Battelle’s Safeboot encryption software available through WebRun • 6The following methods are used to safeguard your PC at Battelle. Click each method for more information. • Passwords • Virus Protection • Baseline Software • Backup of Computing devices • Sanitization • Screen Saver Principle
Roll Over Passwords Password protection is critical to reducing Cybersecurity threats. Take the time to create strong passwords that are easily remembered, but difficult to guess. Battelle adheres to strong password standards, which are automatically enforced by the system. Battelle staff members must adhere to the following password guidelines: Passwords Required— Passwords are required on all computing devices used to store or access business information (PCs, BlackBerrys, cell phones, etc.).Password Sharing— Personal network passwords and SecurID Personal Identification Numbers (PINs) are for use by the assigned staff member only. Sharing personal passwords or PINs with anyone, including family, friends, contractors, or other Battelle staff, is prohibited. Password Storage and Handling— Passwords and PINs should be memorized. If a written password is necessary, it must be carried on the staff member's person or kept in locked storage. Passwords and PINs must not be kept with or attached to the device (PC, laptop, token, etc.).Change Passwords Frequently— Network passwords must be changed at least every six months.Auto-locking— Password-protected auto-locking (e.g., screen savers) must be configured on all computing devices to automatically activate after a maximum 10 minutes' idle time, to minimize data exposure.
Roll Over Virus Protection Virus protection is critical for network defense. Current virus pattern files are required on all computing devices connected to the Battelle network, including both business and home computing devices. Battelle provides Trend Micro OfficeScan virus protection software for all Battelle users. Staff members who access the Battelle network from home for work are licensed to use OfficeScan.
Roll Over Baseline Software All staff members are required to maintain baseline software on all Battelle PCs connected to the Battelle network, and are further required to install patches distributed by IM within the specified timeframe. Computing devices that cannot meet these requirements because of project or engineering constraints must be reviewed and approved by IM. The IT Asset Manager (ITAM) must approve any non-baseline software. IM maintains a list of software already approved by the ITAM as well as software that has been prohibited by the ITAM. For more information, see the Desktop Baseline Software web site in the CyberSecurity Contacts List.
Roll Over Backup of computing devices Staff members are required to make periodic backup copies of business data residing on any computing device for which they are responsible. The “Connected” automatic backup system is available in Columbus and many regional offices. Contact your local IT Coordinator or the IM Service Desk to determine if Connected is available to you.
Roll Over Sanitization Information contained on discarded devices and media can lead to serious information compromise. These devices and media include PCs, PDAs, BlackBerry devices, cellular telephones and all removable media, including external hard drives, diskettes, CDs/DVDs, Zip drives, thumb drives, or other storage devices. Battelle staff members are required to remove all data and software when disposing of any system that has been used to store or process Battelle data. Sanitizing, destroying, or disposing of all devices and digital media must be accomplished by IM-approved methods. Battelle leased and owned PCs, PDAs, BlackBerry devices, and cell phones must be returned to IM for disposal. At the Columbus and West Jefferson, Ohio campuses, you may deposit many forms of electronic media in the Business Sensitive Information Disposal Bins identified with a label as shown below. Bins are typically located in the same room as the walk-up copiers and/or printers. If your site does not have local procedures for disposal of electronic media, please contact Government Security for guidance in establishing a local (or site-specific) Business Sensitive Information Disposal Program.
Roll Over Screen Saver Password protected auto-locking or screen savers are required on all computing devices that contain Battelle information, including BlackBerry devices and PDAs, and must be set to activate after 10 minutes of inactivity. This is automatically set for PCs on the Battelle network. When you step away from your PC, you must manually lock your PC by pressing either the Window and L key together, or the control-alt-delete keys and clicking Lock Computer.
Safeguarding the Network • Not only do you have the responsibility to protect your PC, you also need to protect our Battelle network. • 1We create a large amount of sensitive data: • 1Intellectual property • 2Product information • 3Proposal Information • 4Other sensitive materials
Safeguarding the Network | Visitors and Staff • Visitors must never be permitted to connect to the LAN (Local Area Network). • Visitors can knowingly or unknowingly introduce malicious viruses or software into the network.1 • Staff members are not permitted to directly connect non-Battelle owned or leased storage devices to the Battelle network. If necessary, visitors can use Visitor Internet Ports( VIP) for Internet access. 2 • Visitor Internet Ports or(VIPs)are clearly labeled for access and are now available in many of our Battelle conference rooms. All VIP enabled rooms are labeled as shown.3 • Staff members may connect from VIPs into the LAN using IM-approved methods for remote access • Visitors must utilize VIPs to connect to the Battelle internet.4 2 4 1
Safeguarding the Network |Network Protections • To prevent compromise of our Battelle network, you must comply with the following prohibitions: • Personally owned computing devices and removable storage devices – for example, thumb drives - are not permitted to be connected to the Battelle network or Battelle computing devices.1 • Peer-to-peer music sharing and file sharing is prohibited 2 • Automatic forwarding of Battelle mail to outside e-mail accounts 3 • Accessing personal e-mail accounts from the Battelle LAN 4 • Illegal, pornographic, or harassing material 5 • Wireless Access Points are prohibited on the Battelle LAN without explicit IM approval6 • At all times adhere to Battelle Professional and Ethical Standards.7
Avoiding Attacks and Threats • All computers and networks are susceptible to attack, unauthorized use, or unauthorized access when connected to the Internet. • 3Battelle has strong security controls on network servers and desktops, and uses a firewall to filter traffic from the Internet; however, constant vigilance is required to keep your computer and our network safe. • 5To learn more about the tools hackers may use to gain access to your computer, click on each example below roll your mouse over each example below: • Virus • Worm • Keystroke Logger • Trojan Horse • Password Cracker 4 2 1
Avoiding Attacks and Threats | Email Precautions • E-mail is one of the primary methods by which PCs are compromised. • 1The following are guidelines that will help you identify suspicious e-mail and attachments • 2Be extremely cautious of e-mail from a sender you do not recognize; however, sender addresses are easily faked, so knowledge of the sender is no guarantee that the e-mail is safe. • If the e-mail is not work related, don’t open it. • Be wary of any e-mail asking for personal information. • Be suspicious if the language, grammar, spelling, or content of the e-mail is inappropriate. • Exercise caution if an e-mail contains an attachment you were not anticipating. Many attachments which look safe, for example, Microsoft Word files, are often infected. If you feel you need the attachment for Battelle business, contact the sender via phone if possible to confirm that the attachment is legitimate. Replying to the e-mail may cause more spam to be generated to their account. • Microsoft and other software vendors never distribute software updates via e-mail. If you receive an e-mail claiming to have software updates, it is almost certainly infected. DO NOT OPEN IT. Report it immediately to the IM Service Desk. • Electronic greeting cards or postcards frequently contain dangerous software and should be deleted immediately. • Do not click on hotlinks in e-mail messages. Hotlinks in e-mail text are often spoofed, leading to attacks. • E-mail is neither secure nor confidential. Exercise caution when sending sensitive information outside of Battelle via e-mail. Use Battelle's FX (Secure File Transfer) utility to transmit sensitive information. See the IM website for instructions. • E-mail that is threatening in nature must be reported to Security Operations or Battelle IM Service Desk.
Avoiding Attacks and Threats | Internet Browsing Precautions • Careless Internet browsing is another primary method by which PCs are compromised and then used to gain network access. • 3Follow these guidelines when browsing the Internet: • • Exercise care if browsing sites of unknown security • The Internet should be accessed from Battelle owned or leased equipment only for authorized business and very limited personal use. 2 1
Avoiding Attacks and Threats | Social Engineering Precautions • Social Engineering is using social skills and tricks to convince you to give up critical information • Click on common attack techniques below for more information. • Phishing • Road Apple 2 1
Avoiding Attacks and Threats | Social Engineering Precautions • Social Engineering is using social skills and tricks to convince you to give up critical information • Click on common attack techniques below for more information. • Phishing • Road Apple 6,7 4 3
Roll Over Phishing applies to email appearing to come from a legitimate business — a bank, or credit card company — requesting "verification" of information and warning of a dire consequence if the recipient does not respond. The e-mail usually contains a hotlink to a fraudulent web page that appears legitimate — with company logos and content — and includes a form to provide personal information, ranging from a home address to passwords to an ATM card's PIN. Never click on hotlinks in e-mail messages. These links are often spoofed and point to sites that can download infections to your PC.
Roll Over Road Apple A road apple is a real-world variation of a Trojan Horse that uses physical media and relies on the curiosity of the victim. The attacker leaves a malware infected floppy disc, CD ROM or thumb drive in a location sure to be found (bathroom, elevator, sidewalk), gives it a legitimate looking and curiosity piquing label - and simply waits. In some cases, hackers have mailed official looking CDs or thumb drives to users. These are often imprinted with the logo of clients or business partners. When the user inserts the CD or thumb drive into the PC, infected files are secretly installed. These files can infect other PCs and servers on the network, and can lead to serious compromises of information.
Security while Traveling • Battelle offers it’s employees a wide range of portable devices for business use. • 1These items can include: • 2Laptops • 3Cell phones • 4Blackberry devices • 5Thumb drives • 6 Identifiable articles • For information regarding travel outside of the country, please see the Travel website.
Roles and Responsibilities Battelle staff members are responsible for the appropriate use and protection of assigned computing devices and software, and any assigned authentication mechanisms (passwords, SecurID tokens, Certificates, etc.). Violations of security policy or loss of computing devices or information must be reported to the IM Service Desk. Review the chart below for more information regarding roles and responsibilities. Select each role to see the responsibility assigned. Fact
Contacts and Information Sources We are all responsible for protecting Battelle’s information and data. If you’re not sure about cybersecurity polices and procedure or are in need of assistance, the links and contact information below will guide you to the correct information. 1Be smart, safe and secure, because this is our Battelle. 2If you’re not sure about cybersecurity polices and procedure or are in need of assistance, 3click on the link below to save the pdf document to your desktop. 3 Fact
Summary • You have just completed your training on Cybersecurity. You should now be able to: • 1Describe the goals of the Cybersecurity program and the type of threats Battelle is facing • 2Describe the principles and techniques of information protection • 3Describe the policies and solutions to safeguard your office computer • 4Identify methods to safeguard the Battelle network • 5Recognize how to avoid attacks and threats to Battelle • 6Recognize CyberSecurity risks while traveling • 7List roles and responsibilities of staff members and their importance to Battelle CyberSecurity • 8List contacts and information sources for Battelle CyberSecurity