Information Security and Privacy | Mind Map

Handling Security Threats

Types of Security Threats

Malware (or: "Malicious Software") Attacks

Computer Viruses and Worms

Email vs. network traveling worms

Worms now more common than virus

Spyware, Adware & AdvertisingTrojans

Bots & Botnets

Password Attacks (also called authentication& privilege attacks)

Brute-force attack

Dictionary attack

Social Engineering

Phishing Threats

Network attacks

Outside Vs. Inside attacks

Bluetooth specific attacks

Bluesnarfing

Bluejacking

Bluebugging

Eavesdropping

Identity/IP address spoofing

Sniffer attacks

Denial of Service Attacks

Multiple execution methods (ping of death, smurf, teardrop)

Incident handling

Overview of company policy on Information Security

whistle-blower policy

Importance of responding correctly/consequences pf negligence

How to respond to a virus/malware attack or other security breach?

How to respond to physical security breach?

Data Security

(CaaS) Information Classification and Storage Protocol

Information classified according to protection and availability needs

Goal: To understand which types of data require protection, and to what extent --> to understand the proper treatment of all types of data you have access to

Confidentiality policies / disclosure policies

Security measures / safeguards

Highly customizable. There is a lot more to this at the IT/management level.

Communication Protocol

Selecting the right channel/medium

e-mail

what type of information is best communicated over e-mail?

Things to keep in mid when opening e-mail/attachments

Phone

where to have conversations

Managing phone recordings

Face to Face Conversation

Being mindful of who you're talking to, what to/not to share?

Working Remotely

Why does working remotely pose a security risk?

How can you setup your computer for working remote safely?

What are some things to keep in mind (do's/dont's) when working remote?

How to respond to a breach?

Physical Security

Handling Hardcopies

Filing/storage

Disposal/Recycling

Tailgating/Building Security

Protecting Computers/Devices

Do's/Dont's

Reporting incidents

Staying Safe on the Internet

Browse Safely

Searching

what links to click/avoiding ads

browsing history

Web Cookies

removing blocking and disabling /consequences of removing disabling blocking

what incognito means

Tools and Updates

Threats from browsing

what an attack looks like

Responding to an attack

Downloading 3rd party applications

What is 3rd party app?

Personal.vs. work related

What information does an app request access to?

How could an app pose a security threat?

There's a Privacy angle to this which we will address in Data Privacy

Cloud Computing

What is Cloud Computing

IaaS (Infrastructure as a Service), SaaS, PaaS

What it means for data to be in rest, in transit, in the cloud

Risks of Cloud Computing at work

Data Protection

Exposure/release of sensitive data

Data intercepted in transit

Accidental leakage of data

Backup files stored on CP wrongly shared

Malicious insiders

Cloud service unavailability/reliability issues, or termination

Loss or unavailability of needed data

Use of Rogue Cloud Services / Shadow IT

Poor or un-monitored employee choices

Compliance to company protocols on cloud computing

Safe Lists

Personal responsibility for safe cloud use

Social Media / Blogging

What you can and cannot share about your company

Possible: Social Media Policy /social media componant of privacy policy

Consequences of making information public

Public vs. private blogging vs. anonymous blogging

Use of company information in private blogs

LinkedIn: Use of examples from work

Malicious malware via social media

Facebook

Caution w 3rd party apps

Regularly view and mantain apps you have downloaded.

Avoiding scams/offers/click-jacking

Understanding FB interface / difficulty distinguishing scams from legit

Twitter: Shortened URLS (bit.ly)

Detecting/checking shortened urls (hovering, link scanners, link checking services)

Avoiding Phishing Messages

Shared w/ friend/coworker does not make it legit

Consequences: can steal log in info

Maintaining Computer Security

Computer Setup

Locking computers

Installing Firewall, Anti-virus, Malware Detection

Installing updates, Network Safety

Back-up best practices

Not just the first time, relevant beyond

Network Security

Different Network Types

Network Configuration & Detection of Changes in Network Preferences

Bluetooth and Wireless

Endpoint Security (each device)

Hot spots

Subtopic 1

Network breach sources

Infiltration

Exfiltration

Aggregation

Password Safety

Password Habits That Protect You (existing lesson)

What Makes Passwords Vulnerable (existing lesson-might retitle)

this needs to be rolled into another track. Computer setup?

Data Encryption / Authentication

What is encryption and why is it used?

Encrypting and decrypting

Plain text vs. cipher text

Good encryption passphrases

Backing up data before enrypting

Devices that may require encryption

Hard drive

What is important to encrypt on your hard drive?

Mobile/portable devices

Added sensitivity of Data on Portable Devices

USB flash drives

Determining if encryption software is built in or if you must install

Smartphones

Determining if encryption software is built in or if you must install

Laptops

Encrypting specific files vs. full disk encryption

Laptops vs. Flash drive: is it better to keep sensitive files only on a flash drive?

What about tablets?

Activities that may require encryption

Web browsing when using public WIFI

What are the risks of using a public network?

Using HTTPS connections

How to encrypt and secure your entire browsing session

Email

Using encryption software to encrypt sensitive emails

Do these belong in other topics?

Encryption Software

How to recognize a good encryption software?

Mobile Web/Mobile apps (for work)CookiesSearch engines - everything you search is trackedGoogle mapping - location tracking malicious links and scams Bluetooth and wireless security and hot spots anti-virus software Security threats in collaborative activity - sharing features Social Media Blogging & personal web sites that are tied to work Using 3rd party applications Business Continuity Planning Responding to an emergency/mishap (virus attack/stolen laptop)Information classification (company-specific?) / Data Classification PolicyBusiness Identity Theft Advertisements (check for searching competency)Equipping yourself for Data Recovery (backups/best practices)FTP/Network protocol/network security Organizational Independence Hard Drive/USBs

To insert into network security: What makes network security vulnerable: Software bugs; Configuration mistakes; Network design flaw

Not necessarily to be included, but the following encryption software are bad choices because their passcodes can be easily broken, (and are noncompliant software for PHI): Microsoft Word password protectionMicrosoft Excel password protectionMicrosoft PowerPoint password protectionMicrosoft Outlook .pst file password protectionZip 2.0 encryption

To insert into network security: VPNs, Firewalls (first line of defense), VLANs, and Network Access Controls

Notes to self: Cloud Computing risks have also been broken down into: technical, legal, and organizational- but I decided this broad categorization was more helpful for an IT team developing CP protocols, not employees, and drew those risk types I felt were most relevant. Risk mitigation is not the responsibility of the Cloud SP- they do not care about the law or data protection-- it is the responsibility of a company to define guidelines for its employees use of Cloud Services. The only topic I did not include in framework that I think MAY be relevant: Loss of control to SP--> ex: Cannot know for certain that something deleted is not still on a server somewhere (but I still think this is for IT Dept. to worry about)

Information protection protocols on: handling, transmitting, storing, and disposing of information

Social media threat classifications: Phishing, XSS, CSRF (don't think this is important for employees to know).

Cookies

What are cookies?

1st vs 3rd party cookies

New type of cookies: Flash cookies, supercookies, evercookies

Functional advantages of cookies

Risks

Network threats

End system threats

Cookie harvesting threats

Removing, Blocking and Disabling cookies