Information As an Asset How to Protect Your Data

Information as an Asset How to Protect your Data

Citi Public May 15th, 2013 Overview

 Define Information Security

 Information Security Risks

 Information Security Reviews

Citi Public 1 Agenda

 Information security - what is it?  Password protection tips  Protecting against social engineering  Recognizing phishing scams  Know the game of thieves  Identity theft  What to do if you are a victim?  When and how to perform reviews  Resources

Citi Public 2 What is it?

 A collective set of policies, standards, processes and procedures that limits or controls access to, and use of, information to authorized users. – IS is the process of protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption.

Citi Public 3 Is Information Security something new?

 Julius Caesar is credited with the invention of the Caesar cipher c50 B.C. to prevent his secret messages from being read should a message fall into the wrong hands.  WW II brought about significant advancements in IS in that formalized classification of data based upon sensitivity of information and who could have access to the information was introduced.  The rapid growth and wide spread use of electronic data processing and electronic business conducted through the Internet fueled the need for better methods of protecting these computers and the information they store, process and transmit.

Citi Public 4 Information Security Core Principles

 Confidentiality Holding sensitive data in confidence, limited to an appropriate set of individuals or organizations.  Integrity Data can not be created, changed, or deleted without authorization  Availability The information, the computing systems used to process the information, and the security controls used to protect the information are all available and functioning correctly when the information is needed. The opposite of availability is denial of service (DOS)

Citi Public Password Construction Techniques

 Constructing tough-to-crack passwords is an important way that you can protect information and your identity.  A good password must also be unique. When constructing your password, never use easy-to-guess password elements such as: – Your User ID (jsmith) – A phone number or street address – Names of family members, close friends, coworkers, pets, etc. – Your title or function (secretary, manager, security, etc.) – Names of places

Citi Public Password Protection Technique

Once you’ve constructed a hard-to-guess password, these are some important steps you should take to protect it:  Do not give your password anyone – even if they claim they have a valid business reason.  Change your passwords on a periodic basis as even the strongest passwords can be guessed or misplaced over time. In most cases, your business will select the appropriate period and it will be enforced automatically by the operating system or application.  Watch out for applications that "remember" your password, so that you do not have to input the password again. Typically these applications have a checkbox on the log in screen that asks: "Remember my ID on this computer?" Always select “no” in response to this question.

Citi Public Social Engineering

 A facet of Information Security aimed at manipulating people

 Creating a false sense of trust in order to… – Gain insider access – Obtain sensitive information – Bypass an organization's existing physical security controls

Citi Public Types of Social Engineering

 Psychological Subversion – Establishing a relationship with an insider to gain access to continuing stream of information

 Masquerading – Impersonating people with legitimate access or a need to know to gain access

 Shoulder Surfing – Stealing information by watching a legitimate user type in a password

Citi Public Examples of Social Engineering

 Tailgating – Entering secure locations by following behind someone with legitimate access

 Dumpster Diving – Finding improperly discarded information

 Look out for… – Rushing – Name-dropping – Intimidation – Small mistakes, for example: misspellings, misnomers, odd questions, etc. – Requesting forbidden information

Citi Public Identity Theft – What is it?

 A component or subset within IS principles and the CIA Triad.

 According to the non-profit Identity Theft Resource Center, identity theft is "sub-divided into four categories: – Financial Identity Theft - using another's name and SSN to obtain goods and services – Criminal Identity Theft - posing as another when apprehended for a crime – Identity Cloning - using another's information to assume his or her identity in daily life – Business/Commercial Identity Theft - using another's business name to obtain credit

Citi Public Recognizing Phishing Scams

 Phishing is a type of internet deception designed to steal your valuable personal data. In other words, Phishing may be considered a means to commit Identity Theft.  Thieves might send fraudulent e-mail messages that appear to come from websites you trust and have existing relationships with. BEWARE they may not be legitimate  What does a phishing scam look like? Often include official-looking logos from real organizations and other identifying information taken directly from legitimate websites.

Citi Public Phishing Example

Citi Public Don’t be a victim of Identity Theft

 Types: – Hijacking existing accounts and deposits – Creating new alternate identities  How can someone steal my identity? – Stealing records – Trash (Dumpster Diving) – Credit Reports – Theft of wallet, purses – Electronic scams (as discussed)

Citi Public How can i spot a true website than a fake?

 Look for the lock or key icon at the bottom of the browser.  If the site has changed since your last visit, be suspicious.  A list of popular financial sites that use a secure page for logins is maintained on pharming.org  Check spelling, grammar, and punctuation.  If there are errors chances are you may have been phished.  Hover over suspicious links to find masked URL’s  A reputable business will never ask you to verify account information online.  Did you initiate the contact?

What to do?  Report suspicious incidences to the Organization immediately

Citi Public What if I am a victim?

Four steps to minimize damage/maximize control:

 Contact the fraud department at one of the major credit bureaus

 Review your credit report

 Contact institutions where fraud occurred

 File a police report

Citi Public How and When to Perform Information Security Reviews - Internal

 Periodic reviews of critical functions (management and/or maker checker controls)  Constant Vigilance: All sensitive data shall be at all times monitored (email, shared drives access, databases, creation and deletion of user id’s)  Enforcement: verification of controls in place by an IS officer

Citi Public How and When to Perform Information Security Reviews - External

 Preventive: Verification prior to agree in outsourcing any service, agree on terms in the contract.  Enforcement: Quarterly (Vendor Manager) and yearly (IS officer) verification of controls in place  Reactive: In case of any breach identified, implement immediate measures to control the situation

Citi Public Statistics

Source of information: PhishTank

Citi Public Questions

Citi Public