Information Security and Privacy

Information Security and Privacy
Handling Security Threats
Types of Security Threats
Malware (or: "Malicious Software") Attacks
Computer Viruses and Worms
Email vs. network traveling worms
Worms now more common than virus
Spyware, Adware & Advertising
Trojans
Bots & Botnets
Password Attacks (also called authentication& privilege attacks)
Brute-force attack
Dictionary attack
Social Engineering
Phishing Threats
Network attacks
Outside Vs. Inside attacks
Bluetooth specific attacks
Bluesnarfing
Bluejacking
Bluebugging
Eavesdropping
Identity/IP address spoofing
Sniffer attacks
Denial of Service Attacks
Multiple execution methods (ping of death, smurf, teardrop)
Incident handling
Overview of company policy on Information Security
whistle-blower policy
Importance of responding correctly/consequences pf negligence
How to respond to a virus/malware attack or other security breach?
How to respond to physical security breach?
Data Security
(CaaS) Information Classification and Storage Protocol
Information classified according to protection and availability needs
Goal: To understand which types of data require protection, and to what extent --> to understand the proper treatment of all types of data you have access to
Confidentiality policies / disclosure policies
Security measures / safeguards
Communication Protocol
Selecting the right channel/medium
e-mail
what type of information is best communicated over e-mail?
Things to keep in mid when opening e-mail/attachments
Phone
where to have conversations
Managing phone recordings
Face to Face Conversation
Being mindful of who you're talking to, what to/not to share?
Working Remotely
Why does working remotely pose a security risk?
How can you setup your computer for working remote safely?
What are some things to keep in mind (do's/dont's) when working remote?
How to respond to a breach?
Physical Security
Handling Hardcopies
Filing/storage
Disposal/Recycling
Tailgating/Building Security
Protecting Computers/Devices
Do's/Dont's
Reporting incidents
Highly customizable. There is a lot more to this at the IT/management level.
Staying Safe on the Internet
Browse Safely
Searching
what links to click/avoiding ads
browsing history
Web Cookies
removing blocking and disabling /consequences of removing disabling blocking
what incognito means
Tools and Updates
Threats from browsing
what an attack looks like
Responding to an attack
Downloading 3rd party applications
What is 3rd party app?
Personal.vs. work related
What information does an app request access to?
How could an app pose a security threat?
Cloud Computing
What is Cloud Computing
IaaS (Infrastructure as a Service), SaaS, PaaS
What it means for data to be in rest, in transit, in the cloud
Risks of Cloud Computing at work
Data Protection
Exposure/release of sensitive data
Data intercepted in transit
Accidental leakage of data
Backup files stored on CP wrongly shared
Malicious insiders
Cloud service unavailability/reliability issues, or termination
Loss or unavailability of needed data
Use of Rogue Cloud Services / Shadow IT
Poor or un-monitored employee choices
Compliance to company protocols on cloud computing
Safe Lists
Personal responsibility for safe cloud use
Social Media / Blogging
What you can and cannot share about your company
Possible: Social Media Policy /social media componant of privacy policy
Consequences of making information public
Public vs. private blogging vs. anonymous blogging
Use of company information in private blogs
LinkedIn: Use of examples from work
Malicious malware via social media
Facebook
Caution w 3rd party apps
Regularly view and mantain apps you have downloaded.
Avoiding scams/offers/click-jacking
Understanding FB interface / difficulty distinguishing scams from legit
Twitter: Shortened URLS (bit.ly)
Detecting/checking shortened urls (hovering, link scanners, link checking services)
Avoiding Phishing Messages
Shared w/ friend/coworker does not make it legit
Consequences: can steal log in info
There's a Privacy angle to this which we will address in Data Privacy
Maintaining Computer Security
Computer Setup
Locking computers
Installing Firewall, Anti-virus, Malware Detection
Installing updates, Network Safety
Back-up best practices
Network Security
Different Network Types
Network Configuration & Detection of Changes in Network Preferences
Bluetooth and Wireless
Endpoint Security (each device)
Hot spots
Subtopic 1
Network breach sources
Infiltration
Exfiltration
Aggregation
Password Safety
Password Habits That Protect You (existing lesson)
What Makes Passwords Vulnerable (existing lesson-might retitle)
Data Encryption / Authentication
What is encryption and why is it used?
Encrypting and decrypting
Plain text vs. cipher text
Good encryption passphrases
Backing up data before enrypting
Devices that may require encryption
Hard drive
What is important to encrypt on your hard drive?
Mobile/portable devices
Added sensitivity of Data on Portable Devices
USB flash drives
Determining if encryption software is built in or if you must install
Smartphones
Determining if encryption software is built in or if you must install
Laptops
Encrypting specific files vs. full disk encryption
Laptops vs. Flash drive: is it better to keep sensitive files only on a flash drive?
What about tablets?
Activities that may require encryption
Web browsing when using public WIFI
What are the risks of using a public network?
Using HTTPS connections
How to encrypt and secure your entire browsing session
Email
Using encryption software to encrypt sensitive emails
Encryption Software
How to recognize a good encryption software?
Do these belong in other topics?
this needs to be rolled into another track. Computer setup?
Not just the first time, relevant beyond
Mobile Web/Mobile apps (for work)
Cookies
Search engines - everything you search is tracked
Google mapping - location tracking
malicious links and scams
Bluetooth and wireless security and hot spots
anti-virus software
Security threats in collaborative activity - sharing features
Social Media
Blogging & personal web sites that are tied to work
Using 3rd party applications
Business Continuity Planning
Responding to an emergency/mishap (virus attack/stolen laptop)
Information classification (company-specific?) / Data Classification Policy
Business Identity Theft
Advertisements (check for searching competency)
Equipping yourself for Data Recovery (backups/best practices)
FTP/Network protocol/network security
Organizational Independence
Hard Drive/USBs
To insert into network security: What makes network security vulnerable: Software bugs; Configuration mistakes; Network design flaw
Not necessarily to be included, but the following encryption software are bad choices because their passcodes can be easily broken, (and are noncompliant software for PHI): Microsoft Word password protection
Microsoft Excel password protection
Microsoft PowerPoint password protection
Microsoft Outlook .pst file password protection
Zip 2.0 encryption
To insert into network security: VPNs, Firewalls (first line of defense), VLANs, and Network Access Controls
Notes to self: Cloud Computing risks have also been broken down into: technical, legal, and organizational- but I decided this broad categorization was more helpful for an IT team developing CP protocols, not employees, and drew those risk types I felt were most relevant. Risk mitigation is not the responsibility of the Cloud SP- they do not care about the law or data protection-- it is the responsibility of a company to define guidelines for its employees use of Cloud Services. The only topic I did not include in framework that I think MAY be relevant: Loss of control to SP--> ex: Cannot know for certain that something deleted is not still on a server somewhere (but I still think this is for IT Dept. to worry about)
Information protection protocols on: handling, transmitting, storing, and disposing of information
Social media threat classifications: Phishing, XSS, CSRF (don't think this is important for employees to know).
Cookies
What are cookies?
1st vs 3rd party cookies
New type of cookies: Flash cookies, supercookies, evercookies
Functional advantages of cookies
Risks
Network threats
End system threats
Cookie harvesting threats
Removing, Blocking and Disabling cookies
82