think security things you can do to protect yourself and ... · think security – things you can...
TRANSCRIPT
Think Security – Things You Can Do to Protect Yourself and Your Company from Today’s Threats
Continuing Professional Education North Carolina Office of the State Controller
---------------------------------------------------------------------------------------------------------------------
Date April 25, 2017 10:00am – 11:00am
Location Office of the State Controller and Live Webinar
Objective To establish basic cybersecurity measurers that businesses can leverage to grow while also protecting their most critical assets.
Content In order to maintain the public’s trust, businesses need to establish basic cybersecurity measures that they can leverage to grow their business while also protecting their most critical assets. Today, all businesses, regardless of size or industry, public or private, rely on technology to perform their daily functions. Technology is only going to increase and provides an essential function for businesses to stay connected and informed. However, with these increased conveniences comes increased risks. The internet now facilitates real life crimes including fraud, identity theft and embezzlement. No one is immune to the problem and there is no silver bullet for fixing it. The majority of cyber criminals are indiscriminate; they target vulnerable computer systems regardless of whether the systems are part of a Fortune 500 company, a small business, or belong to a home user. During this session we will discuss the following topics:
· What is Cybersecurity
· Global cybercrime economy
· Understanding what types of threats apply to your company
· Understanding the current threat landscape that you are facing
· Leading practices in cybersecurity risk management
Instructor Chip Wentz
Chip Wentz is a Principal in the Advisory Services practice of Ernst & Young (EY) LLP. Chip leads the Data Protection and Privacy (DPP) sub-service line for the Americas Cyber practice. The DPP practice is focused on helping our clients to identify and protect their sensitive data by assisting them to build the processes and implement the controls needed to provide the right level of protection based on the risk. In this role Chip is responsible for all aspects of the practice including people, quality, growth, and operations.
Chip has over 19 years of experience advising corporate boards, executives and technical leaders in establishing comprehensive processes for managing and maturing their cyber security and data protection programs. These include data
loss prevention (DLP) implementations; security architecture; and PCI DSS compliance to strategically protect their critical information assets, reduce business risk and address complex compliance mandates.
Chip has spent the last decade building and leading global information security technology, teams, and compliance operations. He is certified as a CIA, CISA, CISM, CISSP, CIPP and CGEIT. Chip graduated with a BS in Accounting from NC State University.
Chip is a frequent speaker on related topics at industry events across the country.
CPE Credit Offered
Up to 1.0 hour
Materials None
Teaching Method
Lecture
Prerequisites None
Preparation None
Level Basic
Webinar Developer: Ernst & Young (EY) - http://www.ey.com/
Webinar Sponsor: NC Office of the State Controller - https://www.osc.nc.gov/
Think security!
Cybersecurity awareness
Page 1 Think security! Cybersecurity awareness
Who is Chip Wentz?
► Principal, EY Advisory - Americas Data Protection and
Privacy Cybersecurity Leader
► Cybersecurity professional for 20 years
► Work with organizations around the world on securing the
company and people
► NC native, NCSU Alum
What my friends
think I do
What my family
thinks I doWhat I really do
Page 2 Think security! Cybersecurity awareness
Our goals today
1. Share real-life examples of the cyber threat landscape
2. Share tactical recommendations that you can
immediately perform at work and at home
3. Answer your questions
Page 3 Think security! Cybersecurity awareness
Cybersecurity is protecting information
Data is not
corrupted or
modified by
unauthorized
means
Ensuring that
information and
services are
available when
requested
Protecting sensitive
information from
unauthorized
disclosure or
interception
Availability
Cybersecurity
Page 4 Think security! Cybersecurity awareness
Why is this important to me?
Technology is rapidly
changing and becoming
more complex.
Cyber threats could
potentially have a huge
impact to your company
and your personal life.
Hackers have become
more motivated, skilled,
and organized in
stealing your
information and money.
Page 5 Think security! Cybersecurity awareness
Data breach statistics
Source: http://breachlevelindex.com/
Data records are lost or stolen at the following frequency:
Every day
4,530,602 records
Every hour
188,775 records
Every minute
3,146 records
Every second
52 records
35.19%
15.46%
11.82%
11.46%
4.40%3.48% 1.12%
1 2 3
4 5 6
7
Data records stolen or lost by industryShows percentage of total records
Date range: 2013 - present
61.68%
20.60%
11.55%
8.35%
7.88%
1 2 3 4 5
Number of breach incidents by typeAttackers use a variety of techniques against organizations
Date range: 2013 - present
65.25%24.70%
15.27%
2.18%
2.17%0.50%
1 2 3
4 5 6
Number of breach incidents by sourceSource of data breaches causing problems can vary
Date range: 2013 - present
Page 6 Think security! Cybersecurity awareness
Can I see this data another way?
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
World’s biggest data breachesSelected losses greater than 30,000 records (as of 5 January 2017)
► River City Media: 1,370,000,000
► Friend Finder Network: 412,000,000
► MySpace: 164,000,000
► VK: 100,544,934
► Dailymotion: 85,200,000
► Weebly: 43,000,000
► Yahoo!: 32,000,000
► Mail.ru: 25,000,000
Page 7 Think security! Cybersecurity awareness
Cybersecurity Is every company a target?
► Common misconception
► I don’t process credit card transactions
internally, therefore, my company is not
a target.”
► Reality
► Companies can be targeted for many
reasons:
► Company is a vendor of the ultimate target
► Research and development information
► Clients’ plans and specs
► Sensitive merger and acquisition
information
► Disrupt operations
“
Page 8 Think security! Cybersecurity awareness
The reality of business todayCybersecurity hot topics
Cyber risks are ever increasing in a world
with no boundaries and no rules
► Growing regulatory and government focus
► Acute cost and competitive pressure
► Technology developing in leaps and
bounds, especially as our clients move
toward the “Internet of Things” (IOT)
► Increased erosion of perimeter from third
parties, social media and personal devices
► Extended supply chain means links to
smaller business partners
► Rising level and sophistication of external
threats
► Risk outpacing organizations’ ability to
keep up
Page 9 Think security! Cybersecurity awareness
Where it all started
► SSN stolen over 40,000 times
► At the card’s peak rate of use,
almost 6,000 individuals were
using her SSN number
► Used as late as 1977
Who is Hilda Schrader Whitcher?
► Source: https://www.ssa.gov/history/ssn/misused.html
Page 10 Think security! Cybersecurity awareness
Challenges – why are users the target?
► Lack of experience: We are experiencing a world we
never grew up in.
► Lack of education: No one taught us how to stay safe on
the internet.
► Always-on access: We have constant internet access
through a variety of devices.
Page 11 Think security! Cybersecurity awareness
How does this happen?
Page 12 Think security! Cybersecurity awareness
One common entry vector that can lead to data breaches is social engineering
Social engineering
definition: The
psychological manipulation
of an individual to gain
access to information.
Social engineering is a
component of most cyber
attacks on individuals and
companies.
Page 13 Think security! Cybersecurity awareness
How do social engineering attacks happen?
Information
reconnaissance
Relationship
building
Attack
execution
Leverage of
insights
The attacker develops a
relationship with the victim.
The attacker strives to attain a
trusting affiliation in order to
take advantage of the target.
The attacker uses the
highly restricted
information or physical
access gained. This may be the
conclusion of the attack or a
launching point for the next
stage of the attack.
The social engineer has
compromised the individual
and has gained information
that can be used to their
benefit or to gain
more information.
The attacker tries to collect information
about a potential target using all
means available. The information
gathered is used to manipulate the
target or any person who can be used
for a successful attack.
1
2
3
4
Page 14 Think security! Cybersecurity awareness
What are the types of social engineering attacks?
Social
engineering
attacks
Baiting
Pretexting
Quid pro
quo
Spam
Tailgating
Phishing
Page 15 Think security! Cybersecurity awareness
Types of social engineering attacksBaiting
Social
engineering
attacks
Baiting
Pretexting
Quid pro
quo
Spam
Tailgating
Phishing
Example: A
USB flash drive
with a company
logo was left
out in the open.
In order to
assist in finding
the owner, an
employee
plugged the
USB drive into
a laptop which
then became
infected with
malicious
software.
Baiting involves
an attacker
dangling
something you
want in order to
entice you to
take an action
the criminal
desires.
Page 16 Think security! Cybersecurity awareness
Types of social engineering attacksPretexting
In these
attacks, cyber
criminals
pretend they
need certain
information
from their target
in order to
confirm the
target’s identity.
Social
engineering
attacks
Baiting
Pretexting
Quid pro
quo
Spam
Tailgating
Phishing
Page 17 Think security! Cybersecurity awareness
Types of social engineering attacksQuid pro quo
In a quid pro
quo attack,
social
engineers
request
information
from an
individual in
exchange
for
something
desirable.
Social
engineering
attacks
Baiting
Pretexting
Quid pro
quo
Spam
Tailgating
Phishing
Page 18 Think security! Cybersecurity awareness
Types of social engineering attacksSpam
Spam consists
of bulk email
messages sent
to individuals
without their
permission.
Spam emails
can be
malicious and
expose you to
malware
infection or a
loss of data.
Social
engineering
attacks
Baiting
Pretexting
Quid pro
quo
Spam
Tailgating
Phishing
Page 19 Think security! Cybersecurity awareness
Types of social engineering attacksTailgating
Tailgating is
when an
unauthorized
individual
enters a
secure location
by following a
person with
legitimate
access,
without the
employee’s
permission or
knowledge.
Social
engineering
attacks
Baiting
Pretexting
Quid pro
quo
Spam
Tailgating
Phishing
Page 20 Think security! Cybersecurity awareness
Types of social engineering attacksPhishing
Phishing is
sending a
fraudulent
email, instant
message or
other web-
based media to
get someone
to divulge any
information..
Phishing is the most
common type of
social engineering
attack used today.
Most phishing emails
seek to obtain
information, include
embedded
hyperlinks or
attached files, and
often communicate
threats, fear or a
sense of urgency.
Social
engineering
attacks
Baiting
Pretexting
Quid pro
quo
Spam
Tailgating
Phishing
Page 21 Think security! Cybersecurity awareness
Passwords – as easy as 123456 The 25 worst passwords revealed
1) 123456 (unchanged)
2) password (unchanged)
3) 12345678 (up 1)
4) qwerty (up 1)
5) 12345 (down 2)
6) 123456789 (unchanged)
7) football (up 3)
8) 1234 (down 1)
9) 1234567 (up 2)
10) baseball (down 2)
11) welcome (new)
12) 234567890 (new)
13) abc123 (up 1)
14) 111111 (up 1)
15) 1qaz2wsx (new)
16) dragon (down 7)
17) master (up 2)
18) monkey (down 6)
19) letmein (down 6)
20) login (new)
21) princess (new)
22) qwertyuiop (new)
23) solo (new)
24) passw0rd (new)
25) starwars (new)
► If your password appears on this list, you should probably change it
right away
Page 22 Think security! Cybersecurity awareness
The password is the basic factor in authentication
Weak passwords Strong passwords
► Four-digit year: 19XX, 20XX ► Minimum password length of
8–12 characters
► “Password”: pass, password,
p@$$word
► A combination of upper- and
lowercase letters, numbers and
special characters.
► Dictionary words: “football,”
“baseball,” “secure”
► Different from any of the last
passwords used
► Names: name of your pet, parents,
children
► Try to use different passwords
for different services
► Personal Information: your name,
email address, birthday
► Use a passphrase instead of a
password
► Keyboard patterns and sequences:
qwerty, asdf, 123456, abc123
Page 23 Think security! Cybersecurity awareness
Create strong passwords
One way to create a secure
password is to start with a
word you will remember
e.g.,“pamphlet”
Add numbers, special
characters and
capitalization
Hence, you may come up
with “pAMPh$3let”
Page 24 Think security! Cybersecurity awareness
Use a passphrase
► A passphrase is a phrase or series of words that is used to create a unique password.
A passphrase is typically longer than passwords for additional security.
► Create a phrase that is long and meaningful
► The phrase may be personal to you, so you can remember it easily
► Use the first character of each word to form a password or the entire phrase
How to create a passphrase
Passphrase example
My parents bought me a car as a
graduation gift in 2013.
I was hired at Mom and Mom on
June 18, 2015.
Mpbmacaaggi2 IwhaMaMoJ12
Page 25 Think security! Cybersecurity awareness
Passwords
► Use different passwords for every site
► Otherwise, one site getting hacked exposes all of your accounts
► Use a secure password manager
► Creates a complex password for every site for you
► You need to remember only one master pass phrase
► Can be a vault for other important information
Page 26 Think security! Cybersecurity awareness
Two-factor authentication
► What is it?
► Requires multiple things to gain access to an account:
► Something you know
► Something you have
► Why is it good?
► Prevents someone who has your password from accessing an
account
► Notifies you when someone tries to access your account
Page 27 Think security! Cybersecurity awareness
Two-step authentication using Google Authenticator
► Provides a second factor of authentication
to access your Google account
► If your username and password are ever
compromised, the attacker will also need
the PIN code to access your account
► Google Authenticator can be used for
many personal sites too!
Page 28 Think security! Cybersecurity awareness
Watch for breaches in the news
https://haveibeenpwned.com
Page 29 Think security! Cybersecurity awareness
Typical privacy-type questions Our data never changes
► Use your password manager to make up answers
to security questions and record them
► Favorite color
► Car
► School mascot
► Favorite sports teams
► Favorite movies
► Mother’s maiden name
► Spouse’s name
► Names of friends
► Address
► Email address
► Phone number
► Education history
► Employment history
► Home address
► Date of birth
► City and state of birth
► Pet names
► Family names
Page 30 Think security! Cybersecurity awareness
Real-life phishing examples
Page 31 Think security! Cybersecurity awareness
We know to ignore these
Page 32 Think security! Cybersecurity awareness
But what about this one?
Page 33 Think security! Cybersecurity awareness
If you think people will not fall for this,they do
► The Federal Bureau of Investigation (FBI) has been
keeping a running tally of the financial devastation visited
on companies via CEO fraud scams.
► In June 2016, the FBI estimated that crooks had stolen
nearly $3.1b from more than 22,000 victims of these wire
fraud schemes.
Source: https://krebsonsecurity.com/2017/02/irs-scam-blends-ceo-fraud-w-2-phishing/
Page 34 Think security! Cybersecurity awareness
Why would I need to email the W2 for employees?
Page 35 Think security! Cybersecurity awareness
We have seen lots of these over the past two months
Page 36 Think security! Cybersecurity awareness
Attachment phishing
Source: http://news.netcraft.com/archives/2012/11/13/phishing-attacks-using-html-attachments.html
Do not open attachments in emails
that you did not expect to receive.
Page 37 Think security! Cybersecurity awareness
Hover over the link
Source: http://technews.olemiss.edu/files/2014/03/verizon-phishing.gif
Page 38 Think security! Cybersecurity awareness
Is this real?
Page 39 Think security! Cybersecurity awareness
What’s wrong with this site?
That’s not Google
Page 40 Think security! Cybersecurity awareness
Phishing can also occur via text messaging
Page 41 Think security! Cybersecurity awareness
Texts/emails you should always avoid
► Any communication that you did not initiate
► Communications from your bank with links
► Communications from the IRS
► Communications from your credit card company with a
call to action
► Unsolicited communication from your doctor, lawyer,
accountant or other professional services person
► Random communication from your mortgage company
► Scary texts from a lender
► Promotion from your favorite game
Page 42 Think security! Cybersecurity awareness
Ransomware
Page 43 Think security! Cybersecurity awareness
What is social media?
Social media are interactive
platforms that allow people to create
and share information over the
internet. These platforms include
web applications, websites and
mobile apps.
Page 44 Think security! Cybersecurity awareness
► Two of the most popular social media platforms are Facebook and
Twitter.
► LinkedIn is the largest professional networking site.
► One million websites have integrated with Facebook.
► 25% of users don’t bother with privacy settings.
Social media sites are susceptible to privacy concerns
f450m
users
1.7b
users
320m
users
Page 45 Think security! Cybersecurity awareness
IoT devices
Page 46 Think security! Cybersecurity awareness
IoT scanner
http://iotscanner.bullguard.com/
Page 47 Think security! Cybersecurity awareness
Tips to avoid social engineering
► Be skeptical of unusual or unexpected communications
► Be cautious in what you post online
► Be careful when opening attachments
► Speak up if something doesn’t look right
► Lock your laptop screen: do not leave equipment unattended in public places
► Do not send personal or highly restricted information over the Internet without
double-checking the validity of the website’s URL (https:///...)
Page 48 Think security! Cybersecurity awareness
Tips
Install a comprehensive security suite that provides
layered defense via anti-virus, anti-phishing, safe browsing,
host-based intrusion prevention and firewall capabilities.
Install ad blockers for your web browsers.
The latest version of any operating system (OS) usually
updates security features from the previous versions. Many of
these security features are enabled by default and help
prevent common attack vectors.
Migrate to modern operating systems and hardware platforms
Install a comprehensive security suite
Page 49 Think security! Cybersecurity awareness
Tips
In addition to using a strong and complex password on your
wireless access point, use a strong password on any
network device that can be managed via web interface,
including routers, printers and cameras.
To keep your wireless communication confidential, ensure
your wireless access point is using Wireless Protected
Access 2 (WPA2) connection at home.
Implement WPA2 on your wireless network
Implement strong passwords on all network devices
Page 50 Think security! Cybersecurity awareness
Buyer beware
► Beware of public things
► Public kiosk computer
► Public Wi-Fi
► Hotel computers
Page 51 Think security! Cybersecurity awareness
Questions?
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and advisory
services. The insights and quality services we deliver help build trust
and confidence in the capital markets and in economies the world
over. We develop outstanding leaders who team to deliver on our
promises to all of our stakeholders. In so doing, we play a critical role
in building a better working world for our people, for our clients and
for our communities.
EY refers to the global organization, and may refer to one
or more, of the member firms of Ernst & Young Global Limited, each
of which is a separate legal entity. Ernst & Young
Global Limited, a UK company limited by guarantee, does not
provide services to clients. For more information about our
organization, please visit ey.com.
Ernst & Young LLP is a client-serving member firm of
Ernst & Young Global Limited operating in the US.
© 2017 Ernst & Young LLP.
All Rights Reserved.
1703-2258663
ED None
This material has been prepared for general informational purposes
only and is not intended to be relied upon as accounting, tax or other
professional advice. Please refer to your advisors for specific advice.
ey.com
20/04/2017
1
Think security!
Cybersecurity awareness
Page 1 Think security! Cybersecurity awareness
Who is Chip Wentz?
► Principal, EY Advisory - Americas Data Protection and
Privacy Cybersecurity Leader
► Cybersecurity professional for 20 years
► Work with organizations around the world on securing the
company and people
► NC native, NCSU Alum
What my friends
think I do
What my family
thinks I doWhat I really do
Page 2 Think security! Cybersecurity awareness
Our goals today
1. Share real-life examples of the cyber threat landscape
2. Share tactical recommendations that you can
immediately perform at work and at home
3. Answer your questions
20/04/2017
2
Page 3 Think security! Cybersecurity awareness
Cybersecurity is protecting information
Data is not
corrupted or
modified by
unauthorized
means
Ensuring that
information and
services are
available when
requested
Protecting sensitive
information from
unauthorized
disclosure or
interception
Availability
Cybersecurity
Page 4 Think security! Cybersecurity awareness
Why is this important to me?
Technology is rapidly
changing and becoming
more complex.
Cyber threats could
potentially have a huge
impact to your company
and your personal life.
Hackers have become
more motivated, skilled,
and organized in
stealing your
information and money.
Page 5 Think security! Cybersecurity awareness
Data breach statistics
Source: http://breachlevelindex.com/
Data records are lost or stolen at the following frequency:
Every day
4,530,602 records
Every hour
188,775 records
Every minute
3,146 records
Every second
52 records
35.19%
15.46%
11.82%
11.46%
4.40%3.48% 1.12%
1 2 3
4 5 6
7
Data records stolen or lost by industryShows percentage of total records
Date range: 2013 - present
61.68%
20.60%
11.55%
8.35%
7.88%
1 2 3 4 5
Number of breach incidents by typeAttackers use a variety of techniques against organizations
Date range: 2013 - present
65.25%24.70%
15.27%
2.18%
2.17%0.50%
1 2 3
4 5 6
Number of breach incidents by sourceSource of data breaches causing problems can vary
Date range: 2013 - present
20/04/2017
3
Page 6 Think security! Cybersecurity awareness
Can I see this data another way?
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
World’s biggest data breachesSelected losses greater than 30,000 records (as of 5 January 2017)
► River City Media: 1,370,000,000
► Friend Finder Network: 412,000,000
► MySpace: 164,000,000
► VK: 100,544,934
► Dailymotion: 85,200,000
► Weebly: 43,000,000
► Yahoo!: 32,000,000
► Mail.ru: 25,000,000
Page 7 Think security! Cybersecurity awareness
Cybersecurity Is every company a target?
► Common misconception
► I don’t process credit card transactions
internally, therefore, my company is not
a target.”
► Reality
► Companies can be targeted for many
reasons:
► Company is a vendor of the ultimate target
► Research and development information
► Clients’ plans and specs
► Sensitive merger and acquisition
information
► Disrupt operations
“
Page 8 Think security! Cybersecurity awareness
The reality of business todayCybersecurity hot topics
Cyber risks are ever increasing in a world
with no boundaries and no rules
► Growing regulatory and government focus
► Acute cost and competitive pressure
► Technology developing in leaps and
bounds, especially as our clients move
toward the “Internet of Things” (IOT)
► Increased erosion of perimeter from third
parties, social media and personal devices
► Extended supply chain means links to
smaller business partners
► Rising level and sophistication of external
threats
► Risk outpacing organizations’ ability to
keep up
20/04/2017
4
Page 9 Think security! Cybersecurity awareness
Where it all started
► SSN stolen over 40,000 times
► At the card’s peak rate of use,
almost 6,000 individuals were
using her SSN number
► Used as late as 1977
Who is Hilda Schrader Whitcher?
► Source: https://www.ssa.gov/history/ssn/misused.html
Page 10 Think security! Cybersecurity awareness
Challenges – why are users the target?
► Lack of experience: We are experiencing a world we
never grew up in.
► Lack of education: No one taught us how to stay safe on
the internet.
► Always-on access: We have constant internet access
through a variety of devices.
Page 11 Think security! Cybersecurity awareness
How does this happen?
20/04/2017
5
Page 12 Think security! Cybersecurity awareness
One common entry vector that can lead to data breaches is social engineering
Social engineering
definition: The
psychological manipulation
of an individual to gain
access to information.
Social engineering is a
component of most cyber
attacks on individuals and
companies.
Page 13 Think security! Cybersecurity awareness
How do social engineering attacks happen?
Information
reconnaissance
Relationship
building
Attack
execution
Leverage of
insights
The attacker develops a
relationship with the victim.
The attacker strives to attain a
trusting affiliation in order to
take advantage of the target.
The attacker uses the
highly restricted
information or physical
access gained. This may be the
conclusion of the attack or a
launching point for the next
stage of the attack.
The social engineer has
compromised the individual
and has gained information
that can be used to their
benefit or to gain
more information.
The attacker tries to collect information
about a potential target using all
means available. The information
gathered is used to manipulate the
target or any person who can be used
for a successful attack.
1
2
3
4
Page 14 Think security! Cybersecurity awareness
What are the types of social engineering attacks?
Social
engineering
attacks
Baiting
Pretexting
Quid pro
quo
Spam
Tailgating
Phishing
20/04/2017
6
Page 15 Think security! Cybersecurity awareness
Types of social engineering attacksBaiting
Social
engineering
attacks
Baiting
Pretexting
Quid pro
quo
Spam
Tailgating
Phishing
Example: A
USB flash drive
with a company
logo was left
out in the open.
In order to
assist in finding
the owner, an
employee
plugged the
USB drive into
a laptop which
then became
infected with
malicious
software.
Baiting involves
an attacker
dangling
something you
want in order to
entice you to
take an action
the criminal
desires.
Page 16 Think security! Cybersecurity awareness
Types of social engineering attacksPretexting
In these
attacks, cyber
criminals
pretend they
need certain
information
from their target
in order to
confirm the
target’s identity.
Social
engineering
attacks
Baiting
Pretexting
Quid pro
quo
Spam
Tailgating
Phishing
Page 17 Think security! Cybersecurity awareness
Types of social engineering attacksQuid pro quo
In a quid pro
quo attack,
social
engineers
request
information
from an
individual in
exchange
for
something
desirable.
Social
engineering
attacks
Baiting
Pretexting
Quid pro
quo
Spam
Tailgating
Phishing
20/04/2017
7
Page 18 Think security! Cybersecurity awareness
Types of social engineering attacksSpam
Spam consists
of bulk email
messages sent
to individuals
without their
permission.
Spam emails
can be
malicious and
expose you to
malware
infection or a
loss of data.
Social
engineering
attacks
Baiting
Pretexting
Quid pro
quo
Spam
Tailgating
Phishing
Page 19 Think security! Cybersecurity awareness
Types of social engineering attacksTailgating
Tailgating is
when an
unauthorized
individual
enters a
secure location
by following a
person with
legitimate
access,
without the
employee’s
permission or
knowledge.
Social
engineering
attacks
Baiting
Pretexting
Quid pro
quo
Spam
Tailgating
Phishing
Page 20 Think security! Cybersecurity awareness
Types of social engineering attacksPhishing
Phishing is
sending a
fraudulent
email, instant
message or
other web-
based media to
get someone
to divulge any
information..
Phishing is the most
common type of
social engineering
attack used today.
Most phishing emails
seek to obtain
information, include
embedded
hyperlinks or
attached files, and
often communicate
threats, fear or a
sense of urgency.
Social
engineering
attacks
Baiting
Pretexting
Quid pro
quo
Spam
Tailgating
Phishing
20/04/2017
8
Page 21 Think security! Cybersecurity awareness
Passwords – as easy as 123456 The 25 worst passwords revealed
1) 123456 (unchanged)
2) password (unchanged)
3) 12345678 (up 1)
4) qwerty (up 1)
5) 12345 (down 2)
6) 123456789 (unchanged)
7) football (up 3)
8) 1234 (down 1)
9) 1234567 (up 2)
10) baseball (down 2)
11) welcome (new)
12) 234567890 (new)
13) abc123 (up 1)
14) 111111 (up 1)
15) 1qaz2wsx (new)
16) dragon (down 7)
17) master (up 2)
18) monkey (down 6)
19) letmein (down 6)
20) login (new)
21) princess (new)
22) qwertyuiop (new)
23) solo (new)
24) passw0rd (new)
25) starwars (new)
► If your password appears on this list, you should probably change it
right away
Page 22 Think security! Cybersecurity awareness
The password is the basic factor in authentication
Weak passwords Strong passwords
► Four-digit year: 19XX, 20XX ► Minimum password length of
8–12 characters
► “Password”: pass, password,
p@$$word
► A combination of upper- and
lowercase letters, numbers and
special characters.
► Dictionary words: “football,”
“baseball,” “secure”
► Different from any of the last
passwords used
► Names: name of your pet, parents,
children
► Try to use different passwords
for different services
► Personal Information: your name,
email address, birthday
► Use a passphrase instead of a
password
► Keyboard patterns and sequences:
qwerty, asdf, 123456, abc123
Page 23 Think security! Cybersecurity awareness
Create strong passwords
One way to create a secure
password is to start with a
word you will remember
e.g.,“pamphlet”
Add numbers, special
characters and
capitalization
Hence, you may come up
with “pAMPh$3let”
20/04/2017
9
Page 24 Think security! Cybersecurity awareness
Use a passphrase
► A passphrase is a phrase or series of words that is used to create a unique password.
A passphrase is typically longer than passwords for additional security.
► Create a phrase that is long and meaningful
► The phrase may be personal to you, so you can remember it easily
► Use the first character of each word to form a password or the entire phrase
How to create a passphrase
Passphrase example
My parents bought me a car as a
graduation gift in 2013.
I was hired at Mom and Mom on
June 18, 2015.
Mpbmacaaggi2 IwhaMaMoJ12
Page 25 Think security! Cybersecurity awareness
Passwords
► Use different passwords for every site
► Otherwise, one site getting hacked exposes all of your accounts
► Use a secure password manager
► Creates a complex password for every site for you
► You need to remember only one master pass phrase
► Can be a vault for other important information
Page 26 Think security! Cybersecurity awareness
Two-factor authentication
► What is it?
► Requires multiple things to gain access to an account:
► Something you know
► Something you have
► Why is it good?
► Prevents someone who has your password from accessing an
account
► Notifies you when someone tries to access your account
20/04/2017
10
Page 27 Think security! Cybersecurity awareness
Two-step authentication using Google Authenticator
► Provides a second factor of authentication
to access your Google account
► If your username and password are ever
compromised, the attacker will also need
the PIN code to access your account
► Google Authenticator can be used for
many personal sites too!
Page 28 Think security! Cybersecurity awareness
Watch for breaches in the news
https://haveibeenpwned.com
Page 29 Think security! Cybersecurity awareness
Typical privacy-type questions Our data never changes
► Use your password manager to make up answers
to security questions and record them
► Favorite color
► Car
► School mascot
► Favorite sports teams
► Favorite movies
► Mother’s maiden name
► Spouse’s name
► Names of friends
► Address
► Email address
► Phone number
► Education history
► Employment history
► Home address
► Date of birth
► City and state of birth
► Pet names
► Family names
20/04/2017
11
Page 30 Think security! Cybersecurity awareness
Real-life phishing examples
Page 31 Think security! Cybersecurity awareness
We know to ignore these
Page 32 Think security! Cybersecurity awareness
But what about this one?
20/04/2017
12
Page 33 Think security! Cybersecurity awareness
If you think people will not fall for this,they do
► The Federal Bureau of Investigation (FBI) has been
keeping a running tally of the financial devastation visited
on companies via CEO fraud scams.
► In June 2016, the FBI estimated that crooks had stolen
nearly $3.1b from more than 22,000 victims of these wire
fraud schemes.
Source: https://krebsonsecurity.com/2017/02/irs-scam-blends-ceo-fraud-w-2-phishing/
Page 34 Think security! Cybersecurity awareness
Why would I need to email the W2 for employees?
Page 35 Think security! Cybersecurity awareness
We have seen lots of these over the past two months
20/04/2017
13
Page 36 Think security! Cybersecurity awareness
Attachment phishing
Source: http://news.netcraft.com/archives/2012/11/13/phishing-attacks-using-html-attachments.html
Do not open attachments in emails
that you did not expect to receive.
Page 37 Think security! Cybersecurity awareness
Hover over the link
Source: http://technews.olemiss.edu/files/2014/03/verizon-phishing.gif
Page 38 Think security! Cybersecurity awareness
Is this real?
20/04/2017
14
Page 39 Think security! Cybersecurity awareness
What’s wrong with this site?
That’s not Google
Page 40 Think security! Cybersecurity awareness
Phishing can also occur via text messaging
Page 41 Think security! Cybersecurity awareness
Texts/emails you should always avoid
► Any communication that you did not initiate
► Communications from your bank with links
► Communications from the IRS
► Communications from your credit card company with a
call to action
► Unsolicited communication from your doctor, lawyer,
accountant or other professional services person
► Random communication from your mortgage company
► Scary texts from a lender
► Promotion from your favorite game
20/04/2017
15
Page 42 Think security! Cybersecurity awareness
Ransomware
Page 43 Think security! Cybersecurity awareness
What is social media?
Social media are interactive
platforms that allow people to create
and share information over the
internet. These platforms include
web applications, websites and
mobile apps.
Page 44 Think security! Cybersecurity awareness
► Two of the most popular social media platforms are Facebook and
Twitter.
► LinkedIn is the largest professional networking site.
► One million websites have integrated with Facebook.
► 25% of users don’t bother with privacy settings.
Social media sites are susceptible to privacy concerns
f450m
users
1.7b
users
320m
users
20/04/2017
16
Page 45 Think security! Cybersecurity awareness
IoT devices
Page 46 Think security! Cybersecurity awareness
IoT scanner
http://iotscanner.bullguard.com/
Page 47 Think security! Cybersecurity awareness
Tips to avoid social engineering
► Be skeptical of unusual or unexpected communications
► Be cautious in what you post online
► Be careful when opening attachments
► Speak up if something doesn’t look right
► Lock your laptop screen: do not leave equipment unattended in public places
► Do not send personal or highly restricted information over the Internet without
double-checking the validity of the website’s URL (https:///...)
20/04/2017
17
Page 48 Think security! Cybersecurity awareness
Tips
Install a comprehensive security suite that provides
layered defense via anti-virus, anti-phishing, safe browsing,
host-based intrusion prevention and firewall capabilities.
Install ad blockers for your web browsers.
The latest version of any operating system (OS) usually
updates security features from the previous versions. Many of
these security features are enabled by default and help
prevent common attack vectors.
Migrate to modern operating systems and hardware platforms
Install a comprehensive security suite
Page 49 Think security! Cybersecurity awareness
Tips
In addition to using a strong and complex password on your
wireless access point, use a strong password on any
network device that can be managed via web interface,
including routers, printers and cameras.
To keep your wireless communication confidential, ensure
your wireless access point is using Wireless Protected
Access 2 (WPA2) connection at home.
Implement WPA2 on your wireless network
Implement strong passwords on all network devices
Page 50 Think security! Cybersecurity awareness
Buyer beware
► Beware of public things
► Public kiosk computer
► Public Wi-Fi
► Hotel computers
20/04/2017
18
Page 51 Think security! Cybersecurity awareness
Questions?
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction and advisory
services. The insights and quality services we deliver help build trust
and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our
promises to all of our stakeholders. In so doing, we play a critical role
in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each
of which is a separate legal entity. Ernst & Young
Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our
organization, please visit ey.com.
Ernst & Young LLP is a client-serving member firm of
Ernst & Young Global Limited operating in the US.
© 2017 Ernst & Young LLP.
All Rights Reserved.
1703-2258663
ED None
This material has been prepared for general informational purposes
only and is not intended to be relied upon as accounting, tax or other
professional advice. Please refer to your advisors for specific advice.
ey.com
Think Security Webinar
April 25, 2017
Attendees by Last Name (164)
Jennifer Acton-UNC Chapel Hill
Kathryn Alexander-Forsyth Technical CC
Shelly Alman-Gaston CC
Gregory Alvord-Health & Human Services
Jennifer Arenas-Central Piedmont CC
Lamees Asad-UNC
Steve Ayers-East Carolina University
Phillip Ayscue-Department of Transportation
David Barkhau-Department of Transportation
Ruth Bartholomew-UNC Health
Alicia Bartosch-UNC
Kim Battle-Office of the State Controller
Jeannie Betts-Health & Human Services
Krista Bigelow.-Department of Public Instruction
Steven Birkhofer-UNC
Jennifer Blair-UNC
John Blevins-UNC Health
Judy Blount-Department of Public Instruction
Joyce Boni-UNC
Jessica Boyce-Central Piedmont Community College
Vicki Braddy-Department of Public Safety
Roger Brandon-Appalachian State University
Robert Brinson-Department of Public Safety
Cameron Brown-Commerce
Jeff Carpenter-Haywood CC
Wynona Cash-Office of the State Controller
Sherry Chance-UNC
Susan Charlton-Department of Public Safety
Steve Chase-Wildlife
James Cheroke-Department of Public Safety
Emily Coble-UNC
Bruce Cole-Gaston CC
Tracey Conrad-UNC
Eloise Covalt-Appalachian State University
Stephanie Cronk-Department of Revenue
Emma Davis-Health & Human Services
Irene Deng-UNC
Debbie Dryer-UNC
Di'Nesha Dunn-Central Piedmont Community College
Ryan Dupree-Department of Public Instruction
Michael Durkin-Department of Transportation
Jolene Elkins-Health & Human Services
Wendy Emerson-Forsyth Technical CC
Leah Englebright-School Science & Math
Carl Epley-Health & Human Services
Bonaventure Ezewuzie-Office of the State Controller
Joanne Ferguson-UNC
Steve Fleeman-NC A&T
Nadine Flint-UNC
Frances Flowers-East Carolina University
Denise Foutz-Appalachian State University
Elaine Freeman-Commerce
Joyce Freeman-DENR
Lauren Gates-Central Piedmont Community College
Derek Gee-Department of Cultural Resources
Tony Georges-UNC
Anne Godwin-Office of the State Controller
Kristi Gragg-Appalachian State University
Christina Greene-Cape Fear CC
Austin Grier-Winston Salem State University
Charles Gullette-East Carolina University
Timothy Harrell-Department of Public Safety
Carol Harris-UNC
Elizabeth Haynes-Department of Cultural Resources
Shannon Henry-Winston Salem State University
Jeff Hill-Central Piedmont Community College
Shannon Hobby-Department of Cultural Resources
Paul Horner-Health & Human Services
Heather Horton-Commerce
Kelley Horton-UNC
Tammy Hubbell-Department of Revenue
Scott Hummel-NC A&T
Heather Hummer-UNC
Jessica Hwang-Strickland-UNC
Heather Iannucci-UNC
Suzanne Imboden-East Carolina University
ROD ISOM-Winston Salem State University
Deborah Jackson-UNC Health
Michael W. Jackson-NC A&T
David Jamison-Appalachian State University
Brittany Johnson-Department of Revenue
Sue Kearney-Agriculture
Ginger King-Bladen CC
Gloria King-Health & Human Services
Darlene Langston-Department of Public Safety
Jennifer Leigh-Central Piedmont CC
Tracey Lemming-UNC
John Leskovec-State Budget & Management
Xingjie Lu-UNC Health
Felecia Lucas-Health & Human Services
Theresa Lynch-Forsyth Technical CC
Evelyn Makatiani-UNC
Arun Malik-UNC
Jo Ann Martin-Health & Human Services
Marcus McAllister-Office of the State Controller
Jarvis McBride-Health & Human Services
Nicole McCoy-UNC
SORINA MCINTURFF-Appalachian State University
Christie Medford-Haywood CC
Joel Mercer-Health & Human Services
Laketha Miller-Health & Human Services
Matt Miller-UNC
Kelly Mintern-UNC
Cynthia Modlin-East Carolina University
Kimberly Morehouse-Haywood CC
Dannie Moss-East Carolina University
Michael Moss-Central Piedmont CC
Clayton Murphy-Office of the State Controller
Melanie Nuckols-Forsyth Technical CC
Jennifer Pacheco-Office of the State Controller
Paul Palermo-Office of the State Treasurer
Patty Peebles-East Carolina University
Amy Penson-Isothermal CC
Jennifer Percy-NC Housing & Finance
Landon Perry-DENR
Anita Peters-Haywood CC
Rick Pieringer-Office of the State Controller
Sarah Pinion-Winston Salem State University
Tiesha Pope-Department of Justice
Brittany Powell-East Carolina University
Donna Powell-Department of Revenue
Dawn Quist-East Carolina University
Tracy Rapp-Haywood CC
Carla Reaves-Winston Salem State University
Lymari Rentas-Gonzalez-Health & Human Services
Doreen Rettie-Department of Public Safety
Zahiya ( Sarah ) Rimawi-Forsyth Technical CC
Chavon Robbins-Health & Human Services
Sharon Robertson-Tri County CC
Wayne Rogers-Department of Transportation
Elizabeth Ross-Western Carolina University
Joan Saucier-Department of Public Safety
Troy Scoggins-Office of the State Controller
Sherryl Seigfreid-UNC
Teresa Shingleton-Office of the State Controller
Debra Smith-NC Community Colleges
Kelly Smith-UNC
Rodney Smith-UNC
Alison Soles-Southeastern CC
Faye Steele-East Carolina University
David Steinbicker-Western Carolina University
Gina Steinbicker-Western Carolina University
Robert Stogner-Fayetteville State University
John Stroud-Department of Transportation
Hannah Sullivan-Health & Human Services
Dawei Tang-UNC
Michelle taylor-UNC
Tom Taylor-NC General Assembly
Karen Thomas-Department of Transportation
Catherine Thompson-NC State University
Samuel Tucker-Department of Revenue
Prabhavathi Vijayaraghavan-Department of Public Instruction
Megan Wallace-Office of the State Controller
Dianne Ware-Furlow-UNC
Lily West-Department of Public Safety
Rex Whaley-DENR
Mike Whiteman-Central Piedmont Community College
Cassandra Wilson-Office of the State Treasurer
Joseph Wilson-Department of Transportation
Melissa Wilson-Central Piedmont Community College
Steve Woodruff-Rockingham CC
Claudia Young-NC Housing & Finance
Yifan Zhou-Appalachian State University
Fang Zuo-UNC Charlotte
Think Security Webinar
April 25, 2017
Attendees by Agency (164)
Sue Kearney-Agriculture
Roger Brandon-Appalachian State University
Eloise Covalt-Appalachian State University
Denise Foutz-Appalachian State University
Kristi Gragg-Appalachian State University
David Jamison-Appalachian State University
Sorina McInturff-Appalachian State University
Yifan Zhou-Appalachian State University
Ginger King-Bladen Community College
Christina Greene-Cape Fear Community College
Jennifer Arenas-Central Piedmont CC
Jessica Boyce-Central Piedmont CC
Di'Nesha Dunn-Central Piedmont CC
Lauren Gates-Central Piedmont Community College
Jeff Hill-Central Piedmont Community College
Jennifer Leigh-Central Piedmont CC
Michael Moss-Central Piedmont CC
Mike Whiteman-Central Piedmont CC
Melissa Wilson-Central Piedmont CC
Cameron Brown-Commerce
Elaine Freeman-Commerce
Heather Horton-Commerce
Joyce Freeman-DENR
Landon Perry-DENR
Rex Whaley-DENR
Derek Gee-Cultural Resources
Elizabeth Haynes-Cultural Resources
Shannon Hobby-Cultural Resources
Tiesha Pope-Department of Justice
Krista Bigelow-Department of Public Instruction
Judy Blount-Department of Public Instruction
Ryan Dupree-Department of Public Instruction
Prabhavathi Vijayaraghavan-Public Instruction
Vicki Braddy-Department of Public Safety
Robert Brinson-Department of Public Safety
Susan Charlton-Department of Public Safety
James Cheroke-Department of Public Safety
Timothy Harrell-Department of Public Safety
Darlene Langston-Department of Public Safety
Doreen Rettie-Department of Public Safety
Joan Saucier-Department of Public Safety
Lily West-Department of Public Safety
Stephanie Cronk-Department of Revenue
Tammy Hubbell-Department of Revenue
Brittany Johnson-Department of Revenue
Donna Powell-Department of Revenue
Samuel Tucker-Department of Revenue
Phillip Ayscue-Department of Transportation
David Barkhau-Department of Transportation
Michael Durkin-Department of Transportation
Wayne Rogers-Department of Transportation
John Stroud-Department of Transportation
Karen Thomas-Department of Transportation
Joseph Wilson-Department of Transportation
Steve Ayers-East Carolina University
Frances Flowers-East Carolina University
Charles Gullette-East Carolina University
Suzanne Imboden-East Carolina University
Cynthia Modlin-East Carolina University
Dannie Moss-East Carolina University
Patty Peebles-East Carolina University
Brittany Powell-East Carolina University
Dawn Quist-East Carolina University
Faye Steele-East Carolina University
Robert Stogner-Fayetteville State University
Wendy Emerson-Forsyth Technical CC
Kathryn Alexander-Forsyth Technical CC
Theresa Lynch-Forsyth Technical CC
Melanie Nuckols-Forsyth Technical CC
Zahiya ( Sarah ) Rimawi-Forsyth Technical CC
Shelly Alman-Gaston Community College
Bruce Cole-Gaston Community College
Jeff Carpenter-Haywood Community College
Christie Medford-Haywood Community College
Kimberly Morehouse-Haywood Community College
Anita Peters-Haywood Community College
Tracy Rapp-Haywood Community College
Gregory Alvord-Health & Human Services
Jeannie Betts-Health & Human Services
Emma Davis-Health & Human Services
Jolene Elkins-Health & Human Services
Carl Epley-Health & Human Services
Paul Horner-Health & Human Services
Gloria King-Health & Human Services
Felecia Lucas-Health & Human Services
Jo Ann Martin-Health & Human Services
Jarvis McBride-Health & Human Services
Joel Mercer-Health & Human Services
Laketha Miller-Health & Human Services
Lymari Rentas-Gonzalez-Health & Human Services
Chavon Robbins-Health & Human Services
Hannah Sullivan-Health & Human Services
Amy Penson-Isothermal Community College
Steve Fleeman-NC A&T
Scott Hummel-NC A&T
Michael W. Jackson-NC A&T
Debra Smith-NC Community Colleges
Tom Taylor-NC General Assembly
Jennifer Percy-NC Housing & Finance
Claudia Young-NC Housing & Finance
Catherine Thompson-NC State University
John Leskovec-State Budget & Management
Kim Battle-Office of the State Controller
Wynona Cash-Office of the State Controller
Bonaventure Ezewuzie-State Controller
Anne Godwin-Office of the State Controller
Marcus McAllister-Office of the State Controller
Clayton Murphy-Office of the State Controller
Jennifer Pacheco-Office of the State Controller
Rick Pieringer-Office of the State Controller
Troy Scoggins-Office of the State Controller
Teresa Shingleton-Office of the State Controller
Megan Wallace-Office of the State Controller
Paul Palermo-Office of the State Treasurer
Cassandra Wilson-Office of the State Treasurer
Steve Woodruff-Rockingham Community College
Leah Englebright-School Science & Math
Alison Soles-Southeastern Community College
Sharon Robertson-Tri County Community College
Alicia Bartosch-UNC
Steven Birkhofer-UNC
Jennifer Blair-UNC
Joyce Boni-UNC
Sherry Chance-UNC
Emily Coble-UNC
Tracey Conrad-UNC
Irene Deng-UNC
Debbie Dryer-UNC
Joanne Ferguson-UNC
Nadine Flint-UNC
Tony Georges-UNC
Carol Harris-UNC
Kelley Horton-UNC
Heather Hummer-UNC
Jessica Hwang-Strickland-UNC
Heather Iannucci-UNC
Tracey Lemming-UNC
Evelyn Makatiani-UNC
Arun Malik-UNC
Nicole McCoy-UNC
Kelly Mintern-UNC
Sherryl Seigfreid-UNC
Kelly Smith-UNC
Rodney Smith-UNC
Dawei Tang-UNC
Michelle Taylor-UNC
Dianne Ware-Furlow-UNC
Matt Miller-UNC
Lamees Asad-UNC
Jennifer Acton-UNC Chapel Hill
Fang Zuo-UNC Charlotte
Ruth Bartholomew-UNC Health
John Blevins-UNC Health
Deborah Jackson-UNC Health
Xingjie Lu-UNC Health
Elizabeth Ross-Western Carolina University
David Steinbicker-Western Carolina University
Gina Steinbicker-Western Carolina University
Steve Chase-Wildlife
Austin Grier-Winston Salem State University
Shannon Henry-Winston Salem State University
Rodney Isom-Winston Salem State University
Sarah Pinion-Winston Salem State University
Carla Reaves-Winston Salem State University