Cyber Awareness Training Employee Training for Cyber Awareness

Cyber Awareness Training Employee Training for Cyber Awareness April 29, 2016 Norfolk County Registry of Deeds IT Department Dan Caparrotta

Quotes from IT news articles 2 Cyber attacks are now ‘business as usual’ for hackers around the world. “The Internet is a bad neighborhood.”

Cyber Awareness is crucial 3 Cyber awareness learning and training is central to minimizing the risks to information security. The methods used by cyber criminals to breach organizational systems and networks prey on human vulnerability. Our network infrastructure is strong, but the ‘human factor’ of the network also has to be strong. The users have to act as human firewalls (the bouncers at the door)

Agenda 4 Types of risks in glossary form Malware sites and malware programs Malware examples Bad email examples Characteristics of scam emails – things to look for in content and attachments What to do General principles

Terms 5 Phishing/Spear phishing Social Engineering Malware Ransomware Adware Malvertising Scareware Drive-by Download Spoofed web page Trojan horse

Definition of Terms 6 Phishing - email masquerading as a legitimate organization usually combined with request for information such as passwords or credit card information. Social Engineering - the art of manipulating people into performing actions or divulging confidential information. A gain confidence trick for the purpose of information gathering and fraud. Malware - Malware is a general term used to refer to a variety of forms of hostile or malicious software. Ransomware - software that holds the data of a computer user for ransom. Usually asks for currency in the form of Bitcoin to release data.

Definition of Terms (continued) 7 Scareware - displaying false warnings of virus infection to cause shock and anxiety. Some of the time these are just pop-up windows with no actual payload or virus. Drive-by Download – A web application that has been injected with HTML to initiate a background download. Spoofed web page – a web page created as a hoax with the intention of misleading readers that the website has been created by a different person or organization. Trojan horse - A program that is disguised as something benign, such as a screensaver or a video game but contains a virus within.

Definition of Terms (continued) 8 Adware – Software that installs on your computer in order to steer your browser towards affiliate advertisers and marketers without your permission. Malvertising – Malicious online advertising, typically performed by masking malicious computer code with seemingly harmless online advertisements.

What do they want? 9 They want your password. They want your access to your accounts. They want access to your computer. They want to use your computer as a money maker for themselves by: - turning your PC into a bot member of their own network. - sending out malicious content from your computer to other computers. - locking you out of your own files and asking you for ransom money to regain entry

Example Scareware screen 10 This screen may not be anything except a web page. But can scare you into proceeding with a next step where after you might click a malicious link or call a phone number.

Example Ransomware screen 11

Example Ransomware screen 2

How do these screens appear? Link to a bad website. Website code can attempt to launch exploits The advertisements shown on your favorite web pages are being bought or hacked into. Drive-by Download (exploit where don’t even have to click a link) A malicious email attachment was opened Search engines tricked to present bogus result near the top of your search results (Search Engine Poisoning). Shady websites that 13 give download

What to do if a hack screen appears? 14 Jim and Dan say, PULL THE PLUG. Unplug the Network cord and Power Cord (If the computer is not running, neither is the virus) Power cord at outlet or Power cord from behind PC and Network wire behind PC

Example Phishing email 1 15

Spoofed web page 16 A phishing email linked externally to an exact replica of Kansas State University’s sign-on web page. The page will steal your ID and password if you enter it and “Sign in”. Note the URL highlighted in red – “flushandfloose.nl” which is not the real domain of k-state.edu

17 Fake web page hosted in the Netherlands (.nl) Real web page – Shows actual real domain name

How to identify a phishing scam 18 Characteristics of scam email It asks for private information like a password or account number Will convey the emotion of urgency, fear tactic, greed or curiosity. Uses unfamiliar or inappropriate terms like “send your account information to the MAIL CONTROL UNIT” “Webmail Administrator” Scam emails are usually generic or impersonal, such as Dear user, Dear account holder The message contains a link where the displayed address differs from the actual web address. (see Spoofed Web page)

How to identify a bad email 19 Scam emails are usually generic or impersonal, such as Dear user, Dear account holder Bad email will have vague or brief content They take advantage of current news events Often pose as popular entity that people have account with – Amazon, Bank of America, Facebook. Legitimate emails will prove they are real by listing your less known identifiers such as last 4 numbers of account. Mouse-over the links to show the destination If unsure of legitimacy, call the company to see if they sent it Go directly to the site manually in your

Mouse-Over to check 20 Not fidelity.com

Phishing example 21 Using official logo of HSBC -Message is brief and vague. -Greeting is impersonal.

Phishing example 2 22 The sender; Donald is a known acquaintance but his email account has been compromised. Now his account is sending phishing messages to his personal contacts. -Message is brief and vague. -Greeting is impersonal. -The mouse-over technique would show the link does not go to Dropbox.com

Legitimate email example 23 Providing proof they know you personally/profe ssionally by showing your full name, last 4 digits of real account number and Member Since: info Microsoft has verified sender legitimacy by showing green Trusted Shield (available in hotmail)

Legitimate attachment example 24 Legitimate attachment how? personally identified me. identified me professionally. I was expecting this.

Evaluating attachments 25 Do not open email attachments you were not expecting If the content of the email message is brief, vague, and/or unusual From someone you do not know From someone you know, but weren’t expecting them to send you a file (already compromised accounts can send malicious emails from the owner of the computer to contacts in their email address book)

Malicious Attachment example 26 Avoid this attachment

Malicious Attachment attempt (Microsoft Word file) new example March 2016 When you do open an attachment, keep file in view only mode (default setting) and DO NOT enable macros.

Example of malicious email subjects and attachments 28 Some subjects of emails with bad intent: Shipping update for your Amazon.com order 25478546325-658742 Your Broken message was found and restored Update your account Your friend has sent you an invite! 4 different attachments: Shipping documents.zip Your order.ps Your invoice.doc Invitation card.zip

Evaluating attachments 29 Ignore or delete it if it’s not expected nor important; not worth the risk of opening it and infecting your computer Beware of embedded in .zip attachments – it is a common way for hackers to send .exe files that would normally be deleted by email systems If there’s any reason to doubt it might be legitimate, validate the attachment before opening it Contact the sender and ask if it is legit and that they sent it Ask the IT Department to analyze it

General Principles 30 Neither IT staff nor any legitimate business will EVER ask for your password in an email. Any IT related notifications will come from Dan Caparrotta or Jim Limbey. No other vendor should send alerts. Think before you click – do not be a victim due to a hasty action. Be skeptical / be paranoid Ask I.T. - Don’t be timid about asking the IT Dept to help verify an email is legitimate or not. Do not use the same password for all accounts. Diversify your passwords so that “1 key does not open all doors”.

Useful sources of information 31 The Department of Homeland Security’s own safe internet advice page: https:// www.onguardonline.gov Anti-Phishing Working Group http://apwg.org Teach yourself with Sonicwall’s “Phishing and Spam IQ Quiz” – www.sonicwall.com/phishing Symantec Internet Security Threat Report - A compiled report of the most current examples of the latest malware, phishing and social engineering on the internet http://www.symantec.com/en/au/products-solutions/tra ining/theme.jsp?themeid ssap