Data security @ the personal level
•Download as PPTX, PDF•
0 likes•493 views
Protecting data assets is a real problem and not just the job of the IT department
Recommended
Recommended
More Related Content
Similar to Data security @ the personal level
Similar to Data security @ the personal level (20)
More from Arnon Rotem-Gal-Oz
More from Arnon Rotem-Gal-Oz (20)
Recently uploaded
Recently uploaded (20)
Data security @ the personal level
- 1. Data Security (@ the personal level) Arnon Rotem-Gal-Oz
- 2. So what’s so important about “information security”?
- 3. Security is a real problem www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
- 4. Information security? Not MY problem - IT should figure it out
- 5. We’ve met the enemy and he is us
- 7. Formal threat analysis The STRIDE model Also see • OWASP https://www.owasp.org/ • https://www.owasp.org/index.php/Threat_Risk_Modeling#STRIDE • Common Criteria https://www.commoncriteriaportal.org/
- 8. Spoofing (of user identity) Tampering Repudiation Information disclosure Denial of service Elevation of privilege
- 14. Passwords
- 16. 2016 is just as bad
- 21. Pay attention to email/text recipient address
- 22. Malware
- 23. It is up to you!
- 24. •Be mindful •Be careful who you trust •Secure your devices •Report problems
Editor's Notes
- 37 Million customer records Posted records of people who really wanted to be anonymous… Also exposed Ashely madison as frauds – so maybe not all bad
- US office Personnel – forms submitted by intelligence and military personnel for security clearances Korea Credit bureau – 20 Million bank and credit card users data was leaked including names, SSN, credit card number Australian immigration dept. sent the visa details , passport numbers of world leaders (Obama, Putin, Merkel etc.) to organizers of a football tournament IRS – gamed the IRS refund system requesting tax refunds with other people’s details Uber – had a database open to the world – 50K drivers details
- ”bob” payed < fifth of his 6 figures salary Had VPN logs contacting from China He physically sent his RSA card to the consulting firm he used
- Information Disclosure (privacy breach or data leak)
- Information Disclosure (privacy breach or data leak)
- Phishing vs. SpearPhising Blended/multi-vector threat. Spear phishing uses a blend of email spoofing, zero-day application exploits, dynamic URLs, and drive-by downloads to bypass traditional defenses. Leverages zero-day vulnerabilities. Advanced spear phishing attacks leverage zero-day vulnerabilities in browsers, plug-ins, and desktop applications to compromise systems. Multi-staged attack. The initial exploit of systems is the first stage of an APT attack that involves further stages of malware outbound communications, binary downloads, and data exfiltration. Lack characteristics of spam. Spear phishing email threats are targeted, often on an individualized basis, so they don’t bear a resemblance to the high-volume, broadcast nature of traditional spam. This means reputation filters are unlikely to flag these messages minimizing the likelihood of spam filters catching them. The attacks targeting RSA, the security division of EMC Corp., in 2011 provide a very clear picture of the way spear phishing can set the stage for a devastating and incredibly far-reaching assault on a corporation — and its customers. The assault began with spear phishing attacks that sent targeted users an email with a Microsoft Excel file attachment that leveraged a zero-day flaw in Adobe Flash. It is clear that not only was RSA the focus of the attack, but only four individuals within RSA were the recipients of the malicious emails. It took just one user to open the email and attachment, which downloaded a Trojan onto the user’s PC. This successful spear phishing attack was part of a much more complex advanced targeted attack. With this malware installed on the victim’s PC, criminals were able to search the corporate network, harvest administrator credentials, and ultimately gain access to a server housing proprietary information on the SecurID two-factor authentication platform. The attack didn’t end there. In fact, all this was a precursor to the ultimate objective: Gaining entry to the networks of RSA’s customers, focusing on those in the defense industrial base. With the stolen data, the criminals then targeted numerous high-profile SecurID customers, including defense contractors Lockheed Martin, L-3, and Northrop Grumman. The takeaway for enterprises is that this example makes clear that even seemingly rudimentary attacks may be just the first in a series of advanced, coordinated, and devastating crimes. In addition, advanced targeted attacks against seemingly low level resources or employees without particularly sensitive roles or permissions can still open the door to vital information and huge consequences.
- Slow down. Spammers want you to act first and think later. If the message conveys a sense of urgency, or uses high-pressure sales tactics be skeptical; never let their urgency influence your careful review. Research the facts. Be suspicious of any unsolicited messages. If the email looks like it is from a company you use, do your own research. Use a search engine to go to the real company’s site, or a phone directory to find their phone number. Delete any request for financial information or passwords. If you get asked to reply to a message with personal information, it’s a scam. Reject requests for help or offers of help. Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer to ’help’ restore credit scores, refinance a home, answer your question, etc., a scam. Similarly, if you receive a request for help from a charity or organization that you do not have a relationship with, delete it. To give, seek out reputable charitable organizationson your own to avoid falling for a scam. Don’t let a link in control of where you land. Stay in control by finding the website yourself using a search engine to be sure you land where you intend to land. Hovering over links in email will show the actual URL at the bottom, but a good fake can still steer you wrong.
- Most common passwords
- Consider a password manager lastpass, 1passowrd, Dashlane Don’t reuse passwords across sites At least have categories of passwords Important, semi, everything else -> most sites everything else is fine Two factor authentication
- Çanakkale Turkey (appeared in the movie Troy) Trojans, Spyware, Ransomware Antivirus, Firewalls Be wary
- Email hijacking is rampant. Hackers, spammers, and social engineerers taking over control of people’s email accounts (and other communication accounts) has become rampant. Once they control someone’s email account they prey on the trust of all the person’s contacts. Even when the sender appears to be someone you know, if you aren’t expecting an email with a link or attachment check with your friend before opening links or downloading. Beware of any download. If you don’t know the sender personally AND expect a file from them, downloading anything is a mistake. Foreign offers are fake. If you receive email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money it is guaranteed to be a scam. Secure your computing devices. Install anti-virus software, firewalls, email filters and keep these up-to-date. Set your operating system to automatically update, and if your smartphone doesn’t automatically update, manually update it whenever you receive a notice to do so. Use an anti-phishing tool offered by your web browser or third party to alert you to risks.