sâmbătă, noiembrie 05, 2016

Notes from Security Awarness lessons

Social Engineering
- Cyber attacks can happen in varietate of ways including emails, instant messages, phone calls
- Tricks to get attention to Cyber attacks: Free download, You Won, Pretending your computer is infected, Emails/Messages pretending to be from your bank.
Email & Messaging
- Fishing attacks come in form of emails/messages pretending to represent your bank
- attacker email may trick you to click on a link, to open an attachment, .. which may infect you computer
- Alerts to a fishing attack may be generic message in the emails not addressing personally to you
- Messages that demand imediat actions
- Spelling mistakes in messages
- Using personal email address such as gmail, yahoo
- Emails asking highly sensitive information such as credit card number, your password
- Before clicking on link hover the link to see the real destination
- Type the address directly in the browser
Browsers attacks:
-Ensure the latest browser update
-Do not open unsafe sites, modern browsers detects bad sites
-Make shure https is used for sites
-Use Only Aproved and latest updates for Plugins or Addons
-Logout from website when finished the actions
-Use
Social Networks
-Strong uniq passwords, different passwords for different accounts, 2 step verifcation to use if posibile
-When posting something ensure it is posted
-When someone you dont know posts something about you ask them to remove or report about it
-Install Social Networks 3rd party application only from trusted sources
-When there is suspicious post from somebody please contact them directly and tell them about
-Do not post confidential information on any sites
Mobile Device Security:
-Protect with screen lock, password, pin,
-Active Remote Wiping
-Apps from trusted sources, read reviews, see popularity
-Check apps permissions required when installing
-Keep apps updated
-Keep Mobile OS updated
-Buy new mobile device if there is no more OS support
-Never jailbreak or hack mobile device
-Be ware of malicious links in sms messages
Passwords
- Do not use simple passwords
- Do not use personal information in passwords like date of birth, name, pet name
- Use long passwords, use Upper/Lower case, Numbers, special chars
- Use Password Managers
- Do not use public computers to log in bank accounts,
- Be aware of sites where personal questions are asked, answers can be found on internet
- Use 2 factor authentication
Data Security and Data Destruction
- It is about how to store, process, transmit and destroy sensitive information
- Use system authorized by organization
- Do not copy organisation information to personal devices
- Use authorized and licensed software
- Do not use cloud services (drop box, iCloud, gDrive) if not approved by org
- Do not leave hard-copy documents on desks, lock them in folders
- Always lock the computer when leaving the desk
- Use strong encryption when sending info over network
- Use aproved external devices and software for storing information
- Use special software to delete secure information
- Always shred hard-copy documents when no longer needed
Working Remotely
- Use only devices provided/approved by organization
- Family members should not use work devices
- Use encrypted channels when connected through public networks like VPNs
- Ensure OS and applications used are up to date.
- Never use public computers for work
- Do not allow others to connect to you devices via usb, bluetooth,...
Insider Threats (created by someone employed )
- Someone asking for information which he/sher is not required to have
- Someone caring large number of documents out of org
- Someone transferring large files when he is not required to do this
- Someone working strange hours
- Someone trying to login in somebody else accounts or asking for access to data centers
- Someone with strange behavior
- Never share you credentials with nobody including your supervisor
Protecting your personal computer
- Your computer is running the latest OS installed and latest application installed ex. Word, Excel, ..
- Automatic updates is activated on you computer/devices
- Uninstall unused application
- Ensure web browsers and thier plugins are updated
- Use private/anonymous mode when browsing on internet
- Ensure Firewall is activate
- Ensure Antivirus is running and is updated
- Perform regular backups of your personal information
Hacked,You may be hacked when:
- Antivirus generates alerts
- Browser takes you to unwanted sites
- Your passwords is no longer working
- Your friends are telling you that they receive messages from facebook, twitter, or email account which you didn't sent.
- Contact security team immediately when you think you was hacked
Payment Card Industry Data Security Standard (PSI DSS)
- Limit data access only to required people
- Do not store sensitive data information
- Store PAN in encrypted form according to org standards
- Verify Identy of the person before granting then access to any payment card device
- Cardholder information should be used only for processing payments
- Only authorized payment system may be used to store, process or transmit cardholder data
Cloud Services
- You never know where data is stored
- Obtain permission to use cloud services in org
- Obtain permission on what type of information can be stored on cloud
- Never access personal cloud accounts from org without prior permission
- Use uniq passwords for your cloud accounts
- Share cloud information only with approved people

Niciun comentariu:

Trimiteți un comentariu

Membri

Comentarii