October is Cyber Security Month. We’re glad you decided to join us. IT Forum, October 30, 2019 Division of Information Technology
Team & Agenda • Susan Bowen; Chief Information Officer and Associate Vice President for IT • Carl Hurst; Associate CIO • Ikram Muhammad; Information Security Engineer • Thomas Kern; Information Security Analyst Agenda • Why Cyber Security • Don't Fall For a Phish • Passwords • What’s Next
What is Cyber Security Cyber security focuses on protecting computers, networks, programs and data, from unintended or unauthorized access, change or destruction.
Why Cyber Security • Cyber Security affects everyone • Your computer, tablet, cellphone and social media probably contain information that hackers and other criminals would love to have • When you are aware of the risks, it may be much easier to protect yourself A strong cyber security system relies on cyber defense technology & on people making smart cyber defense choices
One Technique: Phishing • What: Specialized email attack against a specific target • Goal: collect information or gain access to systems • Technique: disguising oneself as a trustworthy entity in an electronic communication
Spot a Phish Review the email samples on your tables. 1. Is it a phish? 2. Why or why not? 3. If it is a phish - what is your next step? What do you do or not do?
Dear Colleagues: Our aim is to provide guidance and align our behaviors as we make great decisions that impact our daily operations. We rely on our values and this code as guidelines, as a breach of the Policy may result in disciplinary action against the Employee concerned. All employees, including all individuals on full-time or part-time employment with the institution are required to go through the guidelines attached in this email. It is important that we all adhere to these guidelines so you will be helping to ensure a future success of this great institution Thank you for your ongoing commitment to delivering a better and reliable service. Sincerely Scott R. Pilarz
Malware was detected in one or more attachments included with this email message. Action: All attachments have Dear Colleagues: been deleted. Our aim is to provide guidance and align our behaviors as we make great decisions that impact our daily operations. We rely on our values and this code as guidelines, as a breach of the Policy may result in disciplinary action against the Employee concerned. All employees, including all individuals on full-time or part-time employment with the institution are required to go through the guidelines attached in this email. It is important that we all adhere to these guidelines so you will be helping to ensure a future success of this great institution Thank you for your ongoing commitment to delivering a better and reliable service. Sincerely Phish Scott R. Pilarz
I need you to get a task done for me now. I am in a meeting can't take calls or text just reply my email. What do you need. I want you to get some Gift cards available. We have some clients we would like to give some as gifts. Let me know if it is possible for you to make arrangements for the gift cards, so I can tell you which product we would need and what denomination they would be. Kindly confirm this to me now. Thank you
I need you to get a task done for me now. I am in a meeting can't take calls or text just reply my email. What do you need. I want you to get some Gift cards available. We have some clients we would like to give some as gifts. Let me know if it is possible for you to make arrangements for the gift cards, so I can tell you which product we would need and what denomination they would be. Kindly confirm this to me now. Thank you Social Engineering/Scam
Social Engineering/Scam
Hello! I am a hacker who has access to your operating system. I also have full access to your account. I've been watching you for a few months now. The fact is that you were infected with malware through an adult site that you visited. If you are not familiar with this, I will explain. Trojan Virus gives me full access and control over a computer or other device. This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it. I also have access to all your contacts and all your correspondence. Why your antivirus did not detect malware? Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent. I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched. With one click of the mouse, I can send this video to all your emails and contacts on social networks. I can also post access to all your e-mail correspondence and messengers that you use. If you want to prevent this, transfer the amount of $545 to my bitcoin address (if you do not know how to do this, write to Google: "Buy Bitcoin"). My bitcoin address (BTC Wallet) is: 1ELKdWgfedTJ9FV4U5W2JVXFzTpKSqcCjM After receiving the payment, I will delete the video and you will never hear me again. I give you 50 hours (more than 2 days) to pay. I have a notice reading this letter, and the timer will work when you see this letter. Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address. I do not make any mistakes. If I find that you have shared this message with someone else, the video will be immediately distributed. Best regards!
Hello! I am a hacker who has access to your operating system. I also have full access to your account. I've been watching you for a few months now. The fact is that you were infected with malware through an adult site that you visited. If you are not familiar with this, I will explain. Trojan Virus gives me full access and control over a computer or other device. This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it. I also have access to all your contacts and all your correspondence. Why your antivirus did not detect malware? Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent. I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched. With one click of the mouse, I can send this video to all your emails and contacts on social networks. I can also post access to all your e-mail correspondence and messengers that you use. If you want to prevent this, transfer the amount of $545 to my bitcoin address (if you do not know how to do this, write to Google: "Buy Bitcoin"). My bitcoin address (BTC Wallet) is: 1ELKdWgfedTJ9FV4U5W2JVXFzTpKSqcCjM After receiving the payment, I will delete the video and you will never hear me again. I give you 50 hours (more than 2 days) to pay. I have a notice reading this letter, and the timer will work when you see this letter. Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address. I do not make any mistakes. If I find that you have shared this message with someone else, the video will be immediately distributed. Best regards! Extortion and using passwords from other breaches.
Spear phishing - Faculty and Deans
Legitimate
Legitimate
https://livescranton- my.sharepoint.com/:f:/g/p ersonal/ikram_muhamma Legitimate d_scranton_edu/EvD_Cl6k r6JPg8jcFyTg78ABcvl2e- imqOv4M1h4F_jVQg?e=5 %3aKXDB4I&at=9
The Anatomy of a Phish Read all communications carefully , and look for: • Unofficial or odd “From” address Hover over these to review • Links to a questionable website • Misspellings or incorrect grammar • Urgent action • Claim to have compromised your account • Keep personal information secure • A request to send funds • Do not click on any links • Do not open any attachments • Forward the phishing attempt as an attachment to infosec@scranton.edu • Mark the email as Junk
Questions • Is Duo Mobile worth the effort? Please update us on its value, as it is a genuine pain in the ass. • Is there any way to stop those awful Robo calls? Also, if I answer or call them back, does that open me up to security breaches? • Do your smartphones need apps for to check for anti-virus / malware / etc?
What’s in a password? • Use Scranton or Royals • End in numerals 123 or 1234 • End with a year, i.e. 2019 or 1888 • Same for multiple accounts • Minimum 9 characters • No password change in the past 6 months
Passwords: Good, better & best practices Good • Use the longest password or passphrase permissible • Always remember to log out • Avoid common phrases, famous quotes, and lyrics
Passwords: Good, better & best practices Better • Use different passwords on different systems and accounts • Use a password manager to store multiple passwords • Common freeware solutions include: • Sticky Password (mobile fingerprint scan, form autofill) • Roboform (one-click logins, offline access) • Dashlane (security alerts for breaches, password generator) • Lastpass (Syncing across devices) - How secure is your password? • Don’t save passwords in browsers • Modify passwords every 6 months • Do not reuse old passwords
Recommend
More recommend
