A Journey Into the Emotions of Software Developers
Security Awareness Training - For Companies With Access to NYS "Sensitive" Information
1. Information Security
User Awareness and Best Practices
Presented by David A. Menken,
Smith Buss & Jacobs, LLP to
December 15, 2014
David A. Menken, Esq.
Smith Buss & Jacobs LLP
733 Yonkers Avenue
Yonkers NY 10704
dmenken@sbjlaw.com
914-457-4186
www.sbjlaw.com
3. 3
Importance of Security
The Internet allows an attacker to attack from anywhere.
Malicious code from an email, a web page or a USB, can infect the
entire organization.
A breach is often the result of a simple mistake.
What you risk with poor security knowledge and practice:
Risk of identity theft
Risk of monetary theft
Risk of cancellation of contracts
Risk of a lawsuit (for you and your company)
Risk of liability for fines and penalties
Risk of termination of employment if company policies are not
followed
4. What We Need to Take Away
Security: We must protect our computers
and data in the same way that we secure
the doors to our homes.
Safety: We must behave in ways that
protect us against risks and threats that
come with technology.
4
5. Why We Are Here This Morning
You have access to NYS Govt. information, so it must comply with
NYS Cyber Security Policy P03-002 v3.4 in its data handling and data
confidentiality requirements.
• Information must be housed only on internal servers
• Information must be segmented from the rest of EIC's network
• Access must be controlled by encryption per AES254 standards
• Access must be contingent on roll-based permissions and strong passwords
• Information must be secured behind a strong firewall and not available to the
Internet
• Information can be unencrypted only to perform data analysis
• When information is destroyed, must be pursuant to DOD grade destruction
• Security must be monitored in real time
• Employees must be trained in security awareness
5
6. Why We Are Here This Morning
Employees MUST Undertake Training
1. New employees must receive general security awareness training,
to include recognizing and reporting insider threats, within 30 days
of hire.
2. Additional training must be completed before access is provided to
specific sensitive information not covered in the general security
training.
3. All security training must be reinforced at least annually and must
be tracked by your company
6
7. 7
How We Can Detect an Intrusion/Malware
Antivirus software detects a problem
Pop-ups suddenly appear
Disk space disappears
Home page changes
Files or transactions appear that should not be there
System slows down to a crawl
Unusual messages, sounds, or displays
Your mouse moves by itself
Frequent firewall alerts about unknown programs trying to
access the Internet
Your computer shuts down and powers off by itself
Often we cannot detect an intrusion
9. 9
Best Practices to Preserve Security
Handling Sensitive Data
• Protect all "sensitive" data and files.
"Sensitive" is data, documents, or files which, if
compromised, would have an adverse effect on the
company or its employees or customers.
• Store data in a secure physical environment, only on devices
owned and approved by IT Support.
• Encrypt and password-protect data when in transit (email) or
mobile devices (laptops, CD’s, USB “thumb” drives).
• NYS data has special encryption requirements.
10. • Only devices owned or approved by IT Support may be
connected to the systems – See the “Bring Your Own Device”
Policy.
• PCs must be manually locked when unattended, must
automatically lock after a period of inactivity.
• PCs must require a password to re-activate.
• Files must be stored and backed up on the server, not on the
desktop or C: drive.
10
Best Practices to Preserve Security
Handling Devices and Files
11. • Passwords must comply with security standards
• A good password is:
• yours alone
• secret
• easily remembered by you
• at least 8 characters, complex
• not guessable
• changed regularly (every 90 days)
• 5 unsuccessful attempts will lock your account
• System or browser may not be configured to remember (cache)
passwords
• Users may NEVER share passwords for any reason
• Two-factor authentication
11
Best Practices to Preserve Security
Handling Logons and Passwords
12. • Configure operating systems for automatic security updates
and patches
• Configure applications for automatic security updates and
patches (e.g., MS Office, Acrobat)
• Configure security software to scan web pages, email,
attachments, and downloads
• Keep security software up to date and configured for regular
scans
12
Best Practices to Preserve Security
Handling Security Updates and Patches
13. • Lock your workstation when you leave your desk or
leave your laptop/mobile device unattended
• Press the Windows Key and “L” (at the same time)
• Press Ctrl-Alt-Del and “Lock Computer”
• Lock sensitive documents and materials in a file
cabinet
• Dispose of sensitive materials appropriately
• Never share your access key, card or fob
• Always question unescorted strangers
• Immediately report all suspicious activities and
breaches of physical security
13
Best Practices to Preserve Security
Handling Physical Security
14. • Don’t fall prey to “social engineering”
• Do not open email attachments unless you are expecting
the email with the attachment and you trust the sender.
• Do not click on links in emails unless you are absolutely
sure of their validity.
• REMEMBER: The most prevalent and persistent threats to
your security come to you in your Inbox, even supposedly
from people you may know.
• They all have this in common: they are designed to get you
to click on an item like an attachment, link or picture.
Stop - Think - Then (maybe) Click
14
Best Practices to Preserve Security
Handling Email Threats
15. • Browsing Can Hazardous To Your PC
• The Common Threat: On the web, the threats come from
malicious links.
• Most of the threats come when you click on a link that
launches a malicious program or re-directs you to a dangerous
site.
15
Best Practices to Preserve Security
Handling Threats from Your Browser
16. • Mobile Workers: Be Careful With Your Connections
• Assume public wireless networks are not secure
• Use a Virtual Private Network: Allows you to launch a secure
Internet connection
• Device Encryption: Should be installed on all mobile devices
that connect to company systems
16
Best Practices to Preserve Security
Handling Telework Threats
17. Reported Data Breaches of Not for Profit Corporations in 2014
(reported by Privacy Rights Clearinghouse)
17
Oct. 2014 Community Technology Alliance (provides tech support to non-profits
in San Jose) notified individuals of a potential compromise of their
personal information, when an employee's laptop was stolen.
Sept. 2014 BayBio.org (life sciences non-profit in Bay Area) notified individuals
of a data breach to their online payment system. The hacker, via an
email, inserted files that captured keystrokes of visitors to their site.
July 2014 Central City Concern (poverty and homelessness NGO in Oregon)
suffered a data breach when an unauthorized access by a former
employee resulted in the breach of client data.
March 2014 Service Coordination Inc. (provides services to developmentally
disabled in Maryland) suffered a breach involving one file which
contained SSNs and medical info of 9,700 clients when someone
hacked its computers.
18. 18
New York Data Breach Law
N.Y. St. Tech. Law §208 (applies to state agencies) and
N.Y. Gen. Bus. Law, §899-aa (applies to business)
Guarantees persons the right to know what private information was exposed
during a breach, so that they can take the necessary steps to both prevent
and repair any damage incurred.
Obligates any person or business that conducts business in NY and owns or
licenses computerized data that includes private information, or any person
or business that maintains such data, to notify a person whose unencrypted
data was stolen.
19. 19
New York Data Breach Law
Definition of “Private Information”
• Personal information of a natural person (i.e., information which can be
used to identify that person, such as name, email address)
• In combination with any one or more of the following data elements
(1) Social security number
(2) Drivers license or similar identification
(3) Account number, credit/debit card number, in combination with
password of security code.
• When either non-encrypted or encrypted with a data key that was also
acquired
20. If you have any questions
please contact me:
David A. Menken
Smith Buss & Jacobs LLP
733 Yonkers Avenue, Yonkers NY 10704
914-457-4186
dmenken@sbjlaw.com
20