think security things you can do to protect yourself and ... · think security – things you can...

Think Security – Things You Can Do to Protect Yourself and Your Company from Today’s Threats

Continuing Professional Education North Carolina Office of the State Controller

---------------------------------------------------------------------------------------------------------------------

Date April 25, 2017 10:00am – 11:00am

Location Office of the State Controller and Live Webinar

Objective To establish basic cybersecurity measurers that businesses can leverage to grow while also protecting their most critical assets.

Content In order to maintain the public’s trust, businesses need to establish basic cybersecurity measures that they can leverage to grow their business while also protecting their most critical assets. Today, all businesses, regardless of size or industry, public or private, rely on technology to perform their daily functions. Technology is only going to increase and provides an essential function for businesses to stay connected and informed. However, with these increased conveniences comes increased risks. The internet now facilitates real life crimes including fraud, identity theft and embezzlement. No one is immune to the problem and there is no silver bullet for fixing it. The majority of cyber criminals are indiscriminate; they target vulnerable computer systems regardless of whether the systems are part of a Fortune 500 company, a small business, or belong to a home user. During this session we will discuss the following topics:

· What is Cybersecurity

· Global cybercrime economy

· Understanding what types of threats apply to your company

· Understanding the current threat landscape that you are facing

· Leading practices in cybersecurity risk management

Instructor Chip Wentz

Chip Wentz is a Principal in the Advisory Services practice of Ernst & Young (EY) LLP. Chip leads the Data Protection and Privacy (DPP) sub-service line for the Americas Cyber practice. The DPP practice is focused on helping our clients to identify and protect their sensitive data by assisting them to build the processes and implement the controls needed to provide the right level of protection based on the risk. In this role Chip is responsible for all aspects of the practice including people, quality, growth, and operations.

Chip has over 19 years of experience advising corporate boards, executives and technical leaders in establishing comprehensive processes for managing and maturing their cyber security and data protection programs. These include data

loss prevention (DLP) implementations; security architecture; and PCI DSS compliance to strategically protect their critical information assets, reduce business risk and address complex compliance mandates.

Chip has spent the last decade building and leading global information security technology, teams, and compliance operations. He is certified as a CIA, CISA, CISM, CISSP, CIPP and CGEIT. Chip graduated with a BS in Accounting from NC State University.

Chip is a frequent speaker on related topics at industry events across the country.

CPE Credit Offered

Up to 1.0 hour

Materials None

Teaching Method

Lecture

Prerequisites None

Preparation None

Level Basic

Webinar Developer: Ernst & Young (EY) - http://www.ey.com/

Webinar Sponsor: NC Office of the State Controller - https://www.osc.nc.gov/

http://www.ey.com/

https://www.osc.nc.gov/

Think security!

Cybersecurity awareness

Think security! Cybersecurity awareness

Who is Chip Wentz?

► Principal, EY Advisory - Americas Data Protection and

Privacy Cybersecurity Leader

► Cybersecurity professional for 20 years

► Work with organizations around the world on securing the

company and people

► NC native, NCSU Alum

What my friends

think I do

What my family

thinks I doWhat I really do


Our goals today

1. Share real-life examples of the cyber threat landscape

2. Share tactical recommendations that you can

immediately perform at work and at home

3. Answer your questions


Cybersecurity is protecting information

Data is not

corrupted or

modified by

unauthorized

means

Ensuring that

information and

services are

available when

requested

Protecting sensitive

information from

unauthorized

disclosure or

interception

Availability

Cybersecurity


Why is this important to me?

Technology is rapidly

changing and becoming

more complex.

Cyber threats could

potentially have a huge

impact to your company

and your personal life.

Hackers have become

more motivated, skilled,

and organized in

stealing your

information and money.


Data breach statistics

Source: http://breachlevelindex.com/

Data records are lost or stolen at the following frequency:

Every day

4,530,602 records

Every hour

188,775 records

Every minute

3,146 records

Every second

52 records

35.19%

15.46%

11.82%

11.46%

4.40%3.48% 1.12%

1 2 3

4 5 6

7

Data records stolen or lost by industryShows percentage of total records

Date range: 2013 - present

61.68%

20.60%

11.55%

8.35%

7.88%

1 2 3 4 5

Number of breach incidents by typeAttackers use a variety of techniques against organizations


65.25%24.70%

15.27%

2.18%

2.17%0.50%

1 2 3

4 5 6

Number of breach incidents by sourceSource of data breaches causing problems can vary



Can I see this data another way?

Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

World’s biggest data breachesSelected losses greater than 30,000 records (as of 5 January 2017)

► River City Media: 1,370,000,000

► Friend Finder Network: 412,000,000

► MySpace: 164,000,000

► VK: 100,544,934

► Dailymotion: 85,200,000

► Weebly: 43,000,000

► Yahoo!: 32,000,000

► Mail.ru: 25,000,000


Cybersecurity Is every company a target?

► Common misconception

► I don’t process credit card transactions

internally, therefore, my company is not

a target.”

► Reality

► Companies can be targeted for many

reasons:

► Company is a vendor of the ultimate target

► Research and development information

► Clients’ plans and specs

► Sensitive merger and acquisition

information

► Disrupt operations

“


The reality of business todayCybersecurity hot topics

Cyber risks are ever increasing in a world

with no boundaries and no rules

► Growing regulatory and government focus

► Acute cost and competitive pressure

► Technology developing in leaps and

bounds, especially as our clients move

toward the “Internet of Things” (IOT)

► Increased erosion of perimeter from third

parties, social media and personal devices

► Extended supply chain means links to

smaller business partners

► Rising level and sophistication of external

threats

► Risk outpacing organizations’ ability to

keep up


Where it all started

► SSN stolen over 40,000 times

► At the card’s peak rate of use,

almost 6,000 individuals were

using her SSN number

► Used as late as 1977

Who is Hilda Schrader Whitcher?

► Source: https://www.ssa.gov/history/ssn/misused.html


Challenges – why are users the target?

► Lack of experience: We are experiencing a world we

never grew up in.

► Lack of education: No one taught us how to stay safe on

the internet.

► Always-on access: We have constant internet access

through a variety of devices.


How does this happen?


One common entry vector that can lead to data breaches is social engineering

Social engineering

definition: The

psychological manipulation

of an individual to gain

access to information.

Social engineering is a

component of most cyber

attacks on individuals and

companies.


How do social engineering attacks happen?

Information

reconnaissance

Relationship

building

Attack

execution

Leverage of

insights

The attacker develops a

relationship with the victim.

The attacker strives to attain a

trusting affiliation in order to

take advantage of the target.

The attacker uses the

highly restricted

information or physical

access gained. This may be the

conclusion of the attack or a

launching point for the next

stage of the attack.

The social engineer has

compromised the individual

and has gained information

that can be used to their

benefit or to gain

more information.

The attacker tries to collect information

about a potential target using all

means available. The information

gathered is used to manipulate the

target or any person who can be used

for a successful attack.

1

2

3

4


What are the types of social engineering attacks?

Social

engineering

attacks

Baiting

Pretexting

Quid pro

quo

Spam

Tailgating

Phishing


Types of social engineering attacksBaiting

Social

engineering

attacks

Baiting

Pretexting

Quid pro

quo

Spam

Tailgating

Phishing

Example: A

USB flash drive

with a company

logo was left

out in the open.

In order to

assist in finding

the owner, an

employee

plugged the

USB drive into

a laptop which

then became

infected with

malicious

software.

Baiting involves

an attacker

dangling

something you

want in order to

entice you to

take an action

the criminal

desires.


Types of social engineering attacksPretexting

In these

attacks, cyber

criminals

pretend they

need certain

information

from their target

in order to

confirm the

target’s identity.

Social

engineering

attacks

Baiting

Pretexting

Quid pro

quo

Spam

Tailgating

Phishing


Types of social engineering attacksQuid pro quo

In a quid pro

quo attack,

social

engineers

request

information

from an

individual in

exchange

for

something

desirable.

Social

engineering

attacks

Baiting

Pretexting

Quid pro

quo

Spam

Tailgating

Phishing


Types of social engineering attacksSpam

Spam consists

of bulk email

messages sent

to individuals

without their

permission.

Spam emails

can be

malicious and

expose you to

malware

infection or a

loss of data.

Social

engineering

attacks

Baiting

Pretexting

Quid pro

quo

Spam

Tailgating

Phishing


Types of social engineering attacksTailgating

Tailgating is

when an

unauthorized

individual

enters a

secure location

by following a

person with

legitimate

access,

without the

employee’s

permission or

knowledge.

Social

engineering

attacks

Baiting

Pretexting

Quid pro

quo

Spam

Tailgating

Phishing


Types of social engineering attacksPhishing

Phishing is

sending a

fraudulent

email, instant

message or

other web-

based media to

get someone

to divulge any

information..

Phishing is the most

common type of

social engineering

attack used today.

Most phishing emails

seek to obtain

information, include

embedded

hyperlinks or

attached files, and

often communicate

threats, fear or a

sense of urgency.

Social

engineering

attacks

Baiting

Pretexting

Quid pro

quo

Spam

Tailgating

Phishing


Passwords – as easy as 123456 The 25 worst passwords revealed

1) 123456 (unchanged)

2) password (unchanged)

3) 12345678 (up 1)

4) qwerty (up 1)

5) 12345 (down 2)

6) 123456789 (unchanged)

7) football (up 3)

8) 1234 (down 1)

9) 1234567 (up 2)

10) baseball (down 2)

11) welcome (new)

12) 234567890 (new)

13) abc123 (up 1)

14) 111111 (up 1)

15) 1qaz2wsx (new)

16) dragon (down 7)

17) master (up 2)

18) monkey (down 6)

19) letmein (down 6)

20) login (new)

21) princess (new)

22) qwertyuiop (new)

23) solo (new)

24) passw0rd (new)

25) starwars (new)

► If your password appears on this list, you should probably change it

right away


The password is the basic factor in authentication

Weak passwords Strong passwords

► Four-digit year: 19XX, 20XX ► Minimum password length of

8–12 characters

► “Password”: pass, password,

p@$$word

► A combination of upper- and

lowercase letters, numbers and

special characters.

► Dictionary words: “football,”

“baseball,” “secure”

► Different from any of the last

passwords used

► Names: name of your pet, parents,

children

► Try to use different passwords

for different services

► Personal Information: your name,

email address, birthday

► Use a passphrase instead of a

password

► Keyboard patterns and sequences:

qwerty, asdf, 123456, abc123


Create strong passwords

One way to create a secure

password is to start with a

word you will remember

e.g.,“pamphlet”

Add numbers, special

characters and

capitalization

Hence, you may come up

with “pAMPh$3let”


Use a passphrase

► A passphrase is a phrase or series of words that is used to create a unique password.

A passphrase is typically longer than passwords for additional security.

► Create a phrase that is long and meaningful

► The phrase may be personal to you, so you can remember it easily

► Use the first character of each word to form a password or the entire phrase

How to create a passphrase

Passphrase example

My parents bought me a car as a

graduation gift in 2013.

I was hired at Mom and Mom on

June 18, 2015.

Mpbmacaaggi2 IwhaMaMoJ12


Passwords

► Use different passwords for every site

► Otherwise, one site getting hacked exposes all of your accounts

► Use a secure password manager

► Creates a complex password for every site for you

► You need to remember only one master pass phrase

► Can be a vault for other important information


Two-factor authentication

► What is it?

► Requires multiple things to gain access to an account:

► Something you know

► Something you have

► Why is it good?

► Prevents someone who has your password from accessing an

account

► Notifies you when someone tries to access your account


Two-step authentication using Google Authenticator

► Provides a second factor of authentication

to access your Google account

► If your username and password are ever

compromised, the attacker will also need

the PIN code to access your account

► Google Authenticator can be used for

many personal sites too!


Watch for breaches in the news

https://haveibeenpwned.com


Typical privacy-type questions Our data never changes

► Use your password manager to make up answers

to security questions and record them

► Favorite color

► Car

► School mascot

► Favorite sports teams

► Favorite movies

► Mother’s maiden name

► Spouse’s name

► Names of friends

► Address

► Email address

► Phone number

► Education history

► Employment history

► Home address

► Date of birth

► City and state of birth

► Pet names

► Family names


Real-life phishing examples


We know to ignore these


But what about this one?


If you think people will not fall for this,they do

► The Federal Bureau of Investigation (FBI) has been

keeping a running tally of the financial devastation visited

on companies via CEO fraud scams.

► In June 2016, the FBI estimated that crooks had stolen

nearly $3.1b from more than 22,000 victims of these wire

fraud schemes.

Source: https://krebsonsecurity.com/2017/02/irs-scam-blends-ceo-fraud-w-2-phishing/


Why would I need to email the W2 for employees?


We have seen lots of these over the past two months


Attachment phishing

Source: http://news.netcraft.com/archives/2012/11/13/phishing-attacks-using-html-attachments.html

Do not open attachments in emails

that you did not expect to receive.


Hover over the link

Source: http://technews.olemiss.edu/files/2014/03/verizon-phishing.gif


Is this real?


What’s wrong with this site?

That’s not Google


Phishing can also occur via text messaging


Texts/emails you should always avoid

► Any communication that you did not initiate

► Communications from your bank with links

► Communications from the IRS

► Communications from your credit card company with a

call to action

► Unsolicited communication from your doctor, lawyer,

accountant or other professional services person

► Random communication from your mortgage company

► Scary texts from a lender

► Promotion from your favorite game


Ransomware


What is social media?

Social media are interactive

platforms that allow people to create

and share information over the

internet. These platforms include

web applications, websites and

mobile apps.


► Two of the most popular social media platforms are Facebook and

Twitter.

► LinkedIn is the largest professional networking site.

► One million websites have integrated with Facebook.

► 25% of users don’t bother with privacy settings.

Social media sites are susceptible to privacy concerns

f450m

users

1.7b

users

320m

users


IoT devices


IoT scanner

http://iotscanner.bullguard.com/


Tips to avoid social engineering

► Be skeptical of unusual or unexpected communications

► Be cautious in what you post online

► Be careful when opening attachments

► Speak up if something doesn’t look right

► Lock your laptop screen: do not leave equipment unattended in public places

► Do not send personal or highly restricted information over the Internet without

double-checking the validity of the website’s URL (https:///...)


Tips

Install a comprehensive security suite that provides

layered defense via anti-virus, anti-phishing, safe browsing,

host-based intrusion prevention and firewall capabilities.

Install ad blockers for your web browsers.

The latest version of any operating system (OS) usually

updates security features from the previous versions. Many of

these security features are enabled by default and help

prevent common attack vectors.

Migrate to modern operating systems and hardware platforms

Install a comprehensive security suite


Tips

In addition to using a strong and complex password on your

wireless access point, use a strong password on any

network device that can be managed via web interface,

including routers, printers and cameras.

To keep your wireless communication confidential, ensure

your wireless access point is using Wireless Protected

Access 2 (WPA2) connection at home.

Implement WPA2 on your wireless network

Implement strong passwords on all network devices


Buyer beware

► Beware of public things

► Public kiosk computer

► Public Wi-Fi

► Hotel computers


Questions?

EY | Assurance | Tax | Transactions | Advisory

About EY

EY is a global leader in assurance, tax, transaction and advisory

services. The insights and quality services we deliver help build trust

and confidence in the capital markets and in economies the world

over. We develop outstanding leaders who team to deliver on our

promises to all of our stakeholders. In so doing, we play a critical role

in building a better working world for our people, for our clients and

for our communities.

EY refers to the global organization, and may refer to one

or more, of the member firms of Ernst & Young Global Limited, each

of which is a separate legal entity. Ernst & Young

Global Limited, a UK company limited by guarantee, does not

provide services to clients. For more information about our

organization, please visit ey.com.

Ernst & Young LLP is a client-serving member firm of

Ernst & Young Global Limited operating in the US.

© 2017 Ernst & Young LLP.

All Rights Reserved.

1703-2258663

ED None

This material has been prepared for general informational purposes

only and is not intended to be relied upon as accounting, tax or other

professional advice. Please refer to your advisors for specific advice.

ey.com

20/04/2017

1

Think security!

Cybersecurity awareness

Page 1 Think security! Cybersecurity awareness

Who is Chip Wentz?

► Principal, EY Advisory - Americas Data Protection and

Privacy Cybersecurity Leader

► Cybersecurity professional for 20 years

► Work with organizations around the world on securing the

company and people

► NC native, NCSU Alum

What my friends

think I do

What my family

thinks I doWhat I really do


Our goals today

1. Share real-life examples of the cyber threat landscape

2. Share tactical recommendations that you can

immediately perform at work and at home

3. Answer your questions

20/04/2017

2


Cybersecurity is protecting information

Data is not

corrupted or

modified by

unauthorized

means

Ensuring that

information and

services are

available when

requested

Protecting sensitive

information from

unauthorized

disclosure or

interception

Availability

Cybersecurity


Why is this important to me?

Technology is rapidly

changing and becoming

more complex.

Cyber threats could

potentially have a huge

impact to your company

and your personal life.

Hackers have become

more motivated, skilled,

and organized in

stealing your

information and money.


Data breach statistics

Source: http://breachlevelindex.com/

Data records are lost or stolen at the following frequency:

Every day

4,530,602 records

Every hour

188,775 records

Every minute

3,146 records

Every second

52 records

35.19%

15.46%

11.82%

11.46%

4.40%3.48% 1.12%

1 2 3

4 5 6

7

Data records stolen or lost by industryShows percentage of total records


61.68%

20.60%

11.55%

8.35%

7.88%

1 2 3 4 5

Number of breach incidents by typeAttackers use a variety of techniques against organizations


65.25%24.70%

15.27%

2.18%

2.17%0.50%

1 2 3

4 5 6

Number of breach incidents by sourceSource of data breaches causing problems can vary


20/04/2017

3


Can I see this data another way?

Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

World’s biggest data breachesSelected losses greater than 30,000 records (as of 5 January 2017)

► River City Media: 1,370,000,000

► Friend Finder Network: 412,000,000

► MySpace: 164,000,000

► VK: 100,544,934

► Dailymotion: 85,200,000

► Weebly: 43,000,000

► Yahoo!: 32,000,000

► Mail.ru: 25,000,000


Cybersecurity Is every company a target?

► Common misconception

► I don’t process credit card transactions

internally, therefore, my company is not

a target.”

► Reality

► Companies can be targeted for many

reasons:

► Company is a vendor of the ultimate target

► Research and development information

► Clients’ plans and specs

► Sensitive merger and acquisition

information

► Disrupt operations

“


The reality of business todayCybersecurity hot topics

Cyber risks are ever increasing in a world

with no boundaries and no rules

► Growing regulatory and government focus

► Acute cost and competitive pressure

► Technology developing in leaps and

bounds, especially as our clients move

toward the “Internet of Things” (IOT)

► Increased erosion of perimeter from third

parties, social media and personal devices

► Extended supply chain means links to

smaller business partners

► Rising level and sophistication of external

threats

► Risk outpacing organizations’ ability to

keep up

20/04/2017

4


Where it all started

► SSN stolen over 40,000 times

► At the card’s peak rate of use,

almost 6,000 individuals were

using her SSN number

► Used as late as 1977

Who is Hilda Schrader Whitcher?

► Source: https://www.ssa.gov/history/ssn/misused.html


Challenges – why are users the target?

► Lack of experience: We are experiencing a world we

never grew up in.

► Lack of education: No one taught us how to stay safe on

the internet.

► Always-on access: We have constant internet access

through a variety of devices.


How does this happen?

20/04/2017

5


One common entry vector that can lead to data breaches is social engineering

Social engineering

definition: The

psychological manipulation

of an individual to gain

access to information.

Social engineering is a

component of most cyber

attacks on individuals and

companies.


How do social engineering attacks happen?

Information

reconnaissance

Relationship

building

Attack

execution

Leverage of

insights

The attacker develops a

relationship with the victim.

The attacker strives to attain a

trusting affiliation in order to

take advantage of the target.

The attacker uses the

highly restricted

information or physical

access gained. This may be the

conclusion of the attack or a

launching point for the next

stage of the attack.

The social engineer has

compromised the individual

and has gained information

that can be used to their

benefit or to gain

more information.

The attacker tries to collect information

about a potential target using all

means available. The information

gathered is used to manipulate the

target or any person who can be used

for a successful attack.

1

2

3

4


What are the types of social engineering attacks?

Social

engineering

attacks

Baiting

Pretexting

Quid pro

quo

Spam

Tailgating

Phishing

20/04/2017

6


Types of social engineering attacksBaiting

Social

engineering

attacks

Baiting

Pretexting

Quid pro

quo

Spam

Tailgating

Phishing

Example: A

USB flash drive

with a company

logo was left

out in the open.

In order to

assist in finding

the owner, an

employee

plugged the

USB drive into

a laptop which

then became

infected with

malicious

software.

Baiting involves

an attacker

dangling

something you

want in order to

entice you to

take an action

the criminal

desires.


Types of social engineering attacksPretexting

In these

attacks, cyber

criminals

pretend they

need certain

information

from their target

in order to

confirm the

target’s identity.

Social

engineering

attacks

Baiting

Pretexting

Quid pro

quo

Spam

Tailgating

Phishing


Types of social engineering attacksQuid pro quo

In a quid pro

quo attack,

social

engineers

request

information

from an

individual in

exchange

for

something

desirable.

Social

engineering

attacks

Baiting

Pretexting

Quid pro

quo

Spam

Tailgating

Phishing

20/04/2017

7


Types of social engineering attacksSpam

Spam consists

of bulk email

messages sent

to individuals

without their

permission.

Spam emails

can be

malicious and

expose you to

malware

infection or a

loss of data.

Social

engineering

attacks

Baiting

Pretexting

Quid pro

quo

Spam

Tailgating

Phishing


Types of social engineering attacksTailgating

Tailgating is

when an

unauthorized

individual

enters a

secure location

by following a

person with

legitimate

access,

without the

employee’s

permission or

knowledge.

Social

engineering

attacks

Baiting

Pretexting

Quid pro

quo

Spam

Tailgating

Phishing


Types of social engineering attacksPhishing

Phishing is

sending a

fraudulent

email, instant

message or

other web-

based media to

get someone

to divulge any

information..

Phishing is the most

common type of

social engineering

attack used today.

Most phishing emails

seek to obtain

information, include

embedded

hyperlinks or

attached files, and

often communicate

threats, fear or a

sense of urgency.

Social

engineering

attacks

Baiting

Pretexting

Quid pro

quo

Spam

Tailgating

Phishing

20/04/2017

8


Passwords – as easy as 123456 The 25 worst passwords revealed

1) 123456 (unchanged)

2) password (unchanged)

3) 12345678 (up 1)

4) qwerty (up 1)

5) 12345 (down 2)

6) 123456789 (unchanged)

7) football (up 3)

8) 1234 (down 1)

9) 1234567 (up 2)

10) baseball (down 2)

11) welcome (new)

12) 234567890 (new)

13) abc123 (up 1)

14) 111111 (up 1)

15) 1qaz2wsx (new)

16) dragon (down 7)

17) master (up 2)

18) monkey (down 6)

19) letmein (down 6)

20) login (new)

21) princess (new)

22) qwertyuiop (new)

23) solo (new)

24) passw0rd (new)

25) starwars (new)

► If your password appears on this list, you should probably change it

right away


The password is the basic factor in authentication

Weak passwords Strong passwords

► Four-digit year: 19XX, 20XX ► Minimum password length of

8–12 characters

► “Password”: pass, password,

p@$$word

► A combination of upper- and

lowercase letters, numbers and

special characters.

► Dictionary words: “football,”

“baseball,” “secure”

► Different from any of the last

passwords used

► Names: name of your pet, parents,

children

► Try to use different passwords

for different services

► Personal Information: your name,

email address, birthday

► Use a passphrase instead of a

password

► Keyboard patterns and sequences:

qwerty, asdf, 123456, abc123


Create strong passwords

One way to create a secure

password is to start with a

word you will remember

e.g.,“pamphlet”

Add numbers, special

characters and

capitalization

Hence, you may come up

with “pAMPh$3let”

20/04/2017

9


Use a passphrase

► A passphrase is a phrase or series of words that is used to create a unique password.

A passphrase is typically longer than passwords for additional security.

► Create a phrase that is long and meaningful

► The phrase may be personal to you, so you can remember it easily

► Use the first character of each word to form a password or the entire phrase

How to create a passphrase

Passphrase example

My parents bought me a car as a

graduation gift in 2013.

I was hired at Mom and Mom on

June 18, 2015.

Mpbmacaaggi2 IwhaMaMoJ12


Passwords

► Use different passwords for every site

► Otherwise, one site getting hacked exposes all of your accounts

► Use a secure password manager

► Creates a complex password for every site for you

► You need to remember only one master pass phrase

► Can be a vault for other important information


Two-factor authentication

► What is it?

► Requires multiple things to gain access to an account:

► Something you know

► Something you have

► Why is it good?

► Prevents someone who has your password from accessing an

account

► Notifies you when someone tries to access your account

20/04/2017

10


Two-step authentication using Google Authenticator

► Provides a second factor of authentication

to access your Google account

► If your username and password are ever

compromised, the attacker will also need

the PIN code to access your account

► Google Authenticator can be used for

many personal sites too!


Watch for breaches in the news

https://haveibeenpwned.com


Typical privacy-type questions Our data never changes

► Use your password manager to make up answers

to security questions and record them

► Favorite color

► Car

► School mascot

► Favorite sports teams

► Favorite movies

► Mother’s maiden name

► Spouse’s name

► Names of friends

► Address

► Email address

► Phone number

► Education history

► Employment history

► Home address

► Date of birth

► City and state of birth

► Pet names

► Family names

20/04/2017

11


Real-life phishing examples


We know to ignore these


But what about this one?

20/04/2017

12


If you think people will not fall for this,they do

► The Federal Bureau of Investigation (FBI) has been

keeping a running tally of the financial devastation visited

on companies via CEO fraud scams.

► In June 2016, the FBI estimated that crooks had stolen

nearly $3.1b from more than 22,000 victims of these wire

fraud schemes.

Source: https://krebsonsecurity.com/2017/02/irs-scam-blends-ceo-fraud-w-2-phishing/


Why would I need to email the W2 for employees?


We have seen lots of these over the past two months

20/04/2017

13


Attachment phishing

Source: http://news.netcraft.com/archives/2012/11/13/phishing-attacks-using-html-attachments.html

Do not open attachments in emails

that you did not expect to receive.


Hover over the link

Source: http://technews.olemiss.edu/files/2014/03/verizon-phishing.gif


Is this real?

20/04/2017

14


What’s wrong with this site?

That’s not Google


Phishing can also occur via text messaging


Texts/emails you should always avoid

► Any communication that you did not initiate

► Communications from your bank with links

► Communications from the IRS

► Communications from your credit card company with a

call to action

► Unsolicited communication from your doctor, lawyer,

accountant or other professional services person

► Random communication from your mortgage company

► Scary texts from a lender

► Promotion from your favorite game

20/04/2017

15


Ransomware


What is social media?

Social media are interactive

platforms that allow people to create

and share information over the

internet. These platforms include

web applications, websites and

mobile apps.


► Two of the most popular social media platforms are Facebook and

Twitter.

► LinkedIn is the largest professional networking site.

► One million websites have integrated with Facebook.

► 25% of users don’t bother with privacy settings.

Social media sites are susceptible to privacy concerns

f450m

users

1.7b

users

320m

users

20/04/2017

16


IoT devices


IoT scanner

http://iotscanner.bullguard.com/


Tips to avoid social engineering

► Be skeptical of unusual or unexpected communications

► Be cautious in what you post online

► Be careful when opening attachments

► Speak up if something doesn’t look right

► Lock your laptop screen: do not leave equipment unattended in public places

► Do not send personal or highly restricted information over the Internet without

double-checking the validity of the website’s URL (https:///...)

20/04/2017

17


Tips

Install a comprehensive security suite that provides

layered defense via anti-virus, anti-phishing, safe browsing,

host-based intrusion prevention and firewall capabilities.

Install ad blockers for your web browsers.

The latest version of any operating system (OS) usually

updates security features from the previous versions. Many of

these security features are enabled by default and help

prevent common attack vectors.

Migrate to modern operating systems and hardware platforms

Install a comprehensive security suite


Tips

In addition to using a strong and complex password on your

wireless access point, use a strong password on any

network device that can be managed via web interface,

including routers, printers and cameras.

To keep your wireless communication confidential, ensure

your wireless access point is using Wireless Protected

Access 2 (WPA2) connection at home.

Implement WPA2 on your wireless network

Implement strong passwords on all network devices


Buyer beware

► Beware of public things

► Public kiosk computer

► Public Wi-Fi

► Hotel computers

20/04/2017

18


Questions?

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory

services. The insights and quality services we deliver help build trust

and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our

promises to all of our stakeholders. In so doing, we play a critical role

in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each

of which is a separate legal entity. Ernst & Young

Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our

organization, please visit ey.com.

Ernst & Young LLP is a client-serving member firm of

Ernst & Young Global Limited operating in the US.

© 2017 Ernst & Young LLP.

All Rights Reserved.

1703-2258663

ED None

This material has been prepared for general informational purposes

only and is not intended to be relied upon as accounting, tax or other

professional advice. Please refer to your advisors for specific advice.

ey.com

Think Security Webinar

April 25, 2017

Attendees by Last Name (164)

Jennifer Acton-UNC Chapel Hill

Kathryn Alexander-Forsyth Technical CC

Shelly Alman-Gaston CC

Gregory Alvord-Health & Human Services

Jennifer Arenas-Central Piedmont CC

Lamees Asad-UNC

Steve Ayers-East Carolina University

Phillip Ayscue-Department of Transportation

David Barkhau-Department of Transportation

Ruth Bartholomew-UNC Health

Alicia Bartosch-UNC

Kim Battle-Office of the State Controller

Jeannie Betts-Health & Human Services

Krista Bigelow.-Department of Public Instruction

Steven Birkhofer-UNC

Jennifer Blair-UNC

John Blevins-UNC Health

Judy Blount-Department of Public Instruction

Joyce Boni-UNC

Jessica Boyce-Central Piedmont Community College

Vicki Braddy-Department of Public Safety

Roger Brandon-Appalachian State University

Robert Brinson-Department of Public Safety

Cameron Brown-Commerce

Jeff Carpenter-Haywood CC

Wynona Cash-Office of the State Controller

Sherry Chance-UNC

Susan Charlton-Department of Public Safety

Steve Chase-Wildlife

James Cheroke-Department of Public Safety

Emily Coble-UNC

Bruce Cole-Gaston CC

Tracey Conrad-UNC

Eloise Covalt-Appalachian State University

Stephanie Cronk-Department of Revenue

Emma Davis-Health & Human Services

Irene Deng-UNC

Debbie Dryer-UNC

Di'Nesha Dunn-Central Piedmont Community College

Ryan Dupree-Department of Public Instruction

Michael Durkin-Department of Transportation

Jolene Elkins-Health & Human Services

Wendy Emerson-Forsyth Technical CC

Leah Englebright-School Science & Math

Carl Epley-Health & Human Services

Bonaventure Ezewuzie-Office of the State Controller

Joanne Ferguson-UNC

Steve Fleeman-NC A&T

Nadine Flint-UNC

Frances Flowers-East Carolina University

Denise Foutz-Appalachian State University

Elaine Freeman-Commerce

Joyce Freeman-DENR

Lauren Gates-Central Piedmont Community College

Derek Gee-Department of Cultural Resources

Tony Georges-UNC

Anne Godwin-Office of the State Controller

Kristi Gragg-Appalachian State University

Christina Greene-Cape Fear CC

Austin Grier-Winston Salem State University

Charles Gullette-East Carolina University

Timothy Harrell-Department of Public Safety

Carol Harris-UNC

Elizabeth Haynes-Department of Cultural Resources

Shannon Henry-Winston Salem State University

Jeff Hill-Central Piedmont Community College

Shannon Hobby-Department of Cultural Resources

Paul Horner-Health & Human Services

Heather Horton-Commerce

Kelley Horton-UNC

Tammy Hubbell-Department of Revenue

Scott Hummel-NC A&T

Heather Hummer-UNC

Jessica Hwang-Strickland-UNC

Heather Iannucci-UNC

Suzanne Imboden-East Carolina University

ROD ISOM-Winston Salem State University

Deborah Jackson-UNC Health

Michael W. Jackson-NC A&T

David Jamison-Appalachian State University

Brittany Johnson-Department of Revenue

Sue Kearney-Agriculture

Ginger King-Bladen CC

Gloria King-Health & Human Services

Darlene Langston-Department of Public Safety

Jennifer Leigh-Central Piedmont CC

Tracey Lemming-UNC

John Leskovec-State Budget & Management

Xingjie Lu-UNC Health

Felecia Lucas-Health & Human Services

Theresa Lynch-Forsyth Technical CC

Evelyn Makatiani-UNC

Arun Malik-UNC

Jo Ann Martin-Health & Human Services

Marcus McAllister-Office of the State Controller

Jarvis McBride-Health & Human Services

Nicole McCoy-UNC

SORINA MCINTURFF-Appalachian State University

Christie Medford-Haywood CC

Joel Mercer-Health & Human Services

Laketha Miller-Health & Human Services

Matt Miller-UNC

Kelly Mintern-UNC

Cynthia Modlin-East Carolina University

Kimberly Morehouse-Haywood CC

Dannie Moss-East Carolina University

Michael Moss-Central Piedmont CC

Clayton Murphy-Office of the State Controller

Melanie Nuckols-Forsyth Technical CC

Jennifer Pacheco-Office of the State Controller

Paul Palermo-Office of the State Treasurer

Patty Peebles-East Carolina University

Amy Penson-Isothermal CC

Jennifer Percy-NC Housing & Finance

Landon Perry-DENR

Anita Peters-Haywood CC

Rick Pieringer-Office of the State Controller

Sarah Pinion-Winston Salem State University

Tiesha Pope-Department of Justice

Brittany Powell-East Carolina University

Donna Powell-Department of Revenue

Dawn Quist-East Carolina University

Tracy Rapp-Haywood CC

Carla Reaves-Winston Salem State University

Lymari Rentas-Gonzalez-Health & Human Services

Doreen Rettie-Department of Public Safety

Zahiya ( Sarah ) Rimawi-Forsyth Technical CC

Chavon Robbins-Health & Human Services

Sharon Robertson-Tri County CC

Wayne Rogers-Department of Transportation

Elizabeth Ross-Western Carolina University

Joan Saucier-Department of Public Safety

Troy Scoggins-Office of the State Controller

Sherryl Seigfreid-UNC

Teresa Shingleton-Office of the State Controller

Debra Smith-NC Community Colleges

Kelly Smith-UNC

Rodney Smith-UNC

Alison Soles-Southeastern CC

Faye Steele-East Carolina University

David Steinbicker-Western Carolina University

Gina Steinbicker-Western Carolina University

Robert Stogner-Fayetteville State University

John Stroud-Department of Transportation

Hannah Sullivan-Health & Human Services

Dawei Tang-UNC

Michelle taylor-UNC

Tom Taylor-NC General Assembly

Karen Thomas-Department of Transportation

Catherine Thompson-NC State University

Samuel Tucker-Department of Revenue

Prabhavathi Vijayaraghavan-Department of Public Instruction

Megan Wallace-Office of the State Controller

Dianne Ware-Furlow-UNC

Lily West-Department of Public Safety

Rex Whaley-DENR

Mike Whiteman-Central Piedmont Community College

Cassandra Wilson-Office of the State Treasurer

Joseph Wilson-Department of Transportation

Melissa Wilson-Central Piedmont Community College

Steve Woodruff-Rockingham CC

Claudia Young-NC Housing & Finance

Yifan Zhou-Appalachian State University

Fang Zuo-UNC Charlotte

Think Security Webinar

April 25, 2017

Attendees by Agency (164)

Sue Kearney-Agriculture

Roger Brandon-Appalachian State University

Eloise Covalt-Appalachian State University

Denise Foutz-Appalachian State University

Kristi Gragg-Appalachian State University

David Jamison-Appalachian State University

Sorina McInturff-Appalachian State University

Yifan Zhou-Appalachian State University

Ginger King-Bladen Community College

Christina Greene-Cape Fear Community College

Jennifer Arenas-Central Piedmont CC

Jessica Boyce-Central Piedmont CC

Di'Nesha Dunn-Central Piedmont CC

Lauren Gates-Central Piedmont Community College

Jeff Hill-Central Piedmont Community College

Jennifer Leigh-Central Piedmont CC

Michael Moss-Central Piedmont CC

Mike Whiteman-Central Piedmont CC

Melissa Wilson-Central Piedmont CC

Cameron Brown-Commerce

Elaine Freeman-Commerce

Heather Horton-Commerce

Joyce Freeman-DENR

Landon Perry-DENR

Rex Whaley-DENR

Derek Gee-Cultural Resources

Elizabeth Haynes-Cultural Resources

Shannon Hobby-Cultural Resources

Tiesha Pope-Department of Justice

Krista Bigelow-Department of Public Instruction

Judy Blount-Department of Public Instruction

Ryan Dupree-Department of Public Instruction

Prabhavathi Vijayaraghavan-Public Instruction

Vicki Braddy-Department of Public Safety

Robert Brinson-Department of Public Safety

Susan Charlton-Department of Public Safety

James Cheroke-Department of Public Safety

Timothy Harrell-Department of Public Safety

Darlene Langston-Department of Public Safety

Doreen Rettie-Department of Public Safety

Joan Saucier-Department of Public Safety

Lily West-Department of Public Safety

Stephanie Cronk-Department of Revenue

Tammy Hubbell-Department of Revenue

Brittany Johnson-Department of Revenue

Donna Powell-Department of Revenue

Samuel Tucker-Department of Revenue

Phillip Ayscue-Department of Transportation

David Barkhau-Department of Transportation

Michael Durkin-Department of Transportation

Wayne Rogers-Department of Transportation

John Stroud-Department of Transportation

Karen Thomas-Department of Transportation

Joseph Wilson-Department of Transportation

Steve Ayers-East Carolina University

Frances Flowers-East Carolina University

Charles Gullette-East Carolina University

Suzanne Imboden-East Carolina University

Cynthia Modlin-East Carolina University

Dannie Moss-East Carolina University

Patty Peebles-East Carolina University

Brittany Powell-East Carolina University

Dawn Quist-East Carolina University

Faye Steele-East Carolina University

Robert Stogner-Fayetteville State University

Wendy Emerson-Forsyth Technical CC

Kathryn Alexander-Forsyth Technical CC

Theresa Lynch-Forsyth Technical CC

Melanie Nuckols-Forsyth Technical CC

Zahiya ( Sarah ) Rimawi-Forsyth Technical CC

Shelly Alman-Gaston Community College

Bruce Cole-Gaston Community College

Jeff Carpenter-Haywood Community College

Christie Medford-Haywood Community College

Kimberly Morehouse-Haywood Community College

Anita Peters-Haywood Community College

Tracy Rapp-Haywood Community College

Gregory Alvord-Health & Human Services

Jeannie Betts-Health & Human Services

Emma Davis-Health & Human Services

Jolene Elkins-Health & Human Services

Carl Epley-Health & Human Services

Paul Horner-Health & Human Services

Gloria King-Health & Human Services

Felecia Lucas-Health & Human Services

Jo Ann Martin-Health & Human Services

Jarvis McBride-Health & Human Services

Joel Mercer-Health & Human Services

Laketha Miller-Health & Human Services

Lymari Rentas-Gonzalez-Health & Human Services

Chavon Robbins-Health & Human Services

Hannah Sullivan-Health & Human Services

Amy Penson-Isothermal Community College

Steve Fleeman-NC A&T

Scott Hummel-NC A&T

Michael W. Jackson-NC A&T

Debra Smith-NC Community Colleges

Tom Taylor-NC General Assembly

Jennifer Percy-NC Housing & Finance

Claudia Young-NC Housing & Finance

Catherine Thompson-NC State University

John Leskovec-State Budget & Management

Kim Battle-Office of the State Controller

Wynona Cash-Office of the State Controller

Bonaventure Ezewuzie-State Controller

Anne Godwin-Office of the State Controller

Marcus McAllister-Office of the State Controller

Clayton Murphy-Office of the State Controller

Jennifer Pacheco-Office of the State Controller

Rick Pieringer-Office of the State Controller

Troy Scoggins-Office of the State Controller

Teresa Shingleton-Office of the State Controller

Megan Wallace-Office of the State Controller

Paul Palermo-Office of the State Treasurer

Cassandra Wilson-Office of the State Treasurer

Steve Woodruff-Rockingham Community College

Leah Englebright-School Science & Math

Alison Soles-Southeastern Community College

Sharon Robertson-Tri County Community College

Alicia Bartosch-UNC

Steven Birkhofer-UNC

Jennifer Blair-UNC

Joyce Boni-UNC

Sherry Chance-UNC

Emily Coble-UNC

Tracey Conrad-UNC

Irene Deng-UNC

Debbie Dryer-UNC

Joanne Ferguson-UNC

Nadine Flint-UNC

Tony Georges-UNC

Carol Harris-UNC

Kelley Horton-UNC

Heather Hummer-UNC

Jessica Hwang-Strickland-UNC

Heather Iannucci-UNC

Tracey Lemming-UNC

Evelyn Makatiani-UNC

Arun Malik-UNC

Nicole McCoy-UNC

Kelly Mintern-UNC

Sherryl Seigfreid-UNC

Kelly Smith-UNC

Rodney Smith-UNC

Dawei Tang-UNC

Michelle Taylor-UNC

Dianne Ware-Furlow-UNC

Matt Miller-UNC

Lamees Asad-UNC

Jennifer Acton-UNC Chapel Hill

Fang Zuo-UNC Charlotte

Ruth Bartholomew-UNC Health

John Blevins-UNC Health

Deborah Jackson-UNC Health

Xingjie Lu-UNC Health

Elizabeth Ross-Western Carolina University

David Steinbicker-Western Carolina University

Gina Steinbicker-Western Carolina University

Steve Chase-Wildlife

Austin Grier-Winston Salem State University

Shannon Henry-Winston Salem State University

Rodney Isom-Winston Salem State University

Sarah Pinion-Winston Salem State University

Carla Reaves-Winston Salem State University

think security things you can do to protect yourself and ... · think security – things you can...

Documents