What's New in Teams Calling, Meetings and Devices April 2024
Isl awareness training
1. Information
Security
Liaison
Awareness Training
Kelley Bogart, CISSP
Senior Information Security Specialist
University Information Security Office
2. What is Information Security?
Program
Process (not a Project)
Never 100%
Risk Management
Improve Security Posture
Changing Security Landscape
Threats (motives)
Countermeasures
3. Goal of Information Security
To ensure the
confidentiality,
integrity and Protected
Confidential
availability Information
Information
(CIA) of critical &
systems and Critical
Systems
confidential
information
4. CIA Triad
transmission
To ensure To ensure the
dis
e
rag
protection accuracy and
po
sto
s
against completeness of
al
unauthorized information to
access to or use protect university
of confidential business
information processes
To ensure that information and vital services are
assessible for use when required
5. Information Security Domains
1. Access Control
2. Application Security
3. Business Continuity and Disaster Recovery Planning
4. Cryptography
5. Information Security and Risk Management
6. Legal, Regulations, Compliance and Investigations
7. Operations Security
8. Physical (Environmental) Security
9. Security Architecture and Design
10. Telecommunications and Network Security
7. What is Security Awareness?
Security awareness is the knowledge, skill and attitude an individual
possesses regarding the protection of information assets.
Being Security Aware means you understand that there is the potential
for some people to deliberately or accidentally steal, damage, or
misuse your account, computer or the data stored on your computer.
Awareness of the risks and available safeguards is the first line of
defense for the security of information, systems and networks.
8. Security Awareness
Includes:
Information about how to
Protect
Detect
React
Knowledge, Skill and Attitude
The What
The How
The Why
Include WIIFM What’s in it for me?
Culture Change
10. Defense in Depth
Anti-Virus Network Anti-Spyware
Host
Encrypted Session Controls
Communication Application
Limit Use of
“Privileged” Strong Passwords
Accounts
OS and App Physical
Patches Security
11. Account Access Controls
Passwords
Strong
Not Shared
Storage
Accounts
Limit use of Privileged Accounts
Session Controls
Password protected screensaver
Ctrl-Alt Delete (enter) or Windows L
12. Wireless – On Campus
Use only UAWifi (not public)
Security (WPA2 & PEAP)
No Rate or Port limitation
http://uawifi.arizona.edu
13. Use of Other Wireless
Home
Change default admin username and
password
Configure to use encryption (avoid
WEP, use WPA or WPA2)
Do not Broadcast SSID
Ask your computer savvy friend to help
you configure your home wireless to
use encryption
Wireless Security Page (on Computer
security resource hand out)
Other
Airports, Hotels, Conferences
“Free” WiFi Hotspots
14. Surf Safely
You know there are bad parts of town that
you don’t go to
The Internet is the same way – be wary!
Controls can be administrative, technical or physical
More on the goal of Information Security. Talk about the CIA Triad
Technology is only part of information security…..people and policy are just as (if not more) important than the technology itself. People at all levels……This includes: the IT people responsible for implementing, configuring, maintaining and monitoring the technology (do they have the required knowledge and understanding) the people in charge of policy and compliance. and lastly the end user. Personal computers comprise a large percentage of those 1.3 billion connected devices and have become an increasingly popular target for the bad guys. If you own, use or do business with someone that uses a computer you are the last layer of defense against the rapidly growing computer security threats in cyber space. The only way to ensure protection of your computer and/or sensitive/confidential or regulatory protected data is to take responsibility by understanding the threats as well as the layers to defend against That technology alone cannot keep us secure. People are the last layer of defense. Security is Everyone's responsibility! Sec-U-R-IT-y………You Are It!
Trojans – software downloads - Kaaza Viruses – Emails Zombies or Botnets Phishing (Identity Theft) Spyware Most incidents are unintentional and can be avoided.
Kelley: According to Internetworldstats.com, there are slightly over 1.3 billion internet users worldwide. Approx. 19% (18.9) or 237 million from North America that means the other 81% are from the rest of the world. Once connected to the internet your computer is accessible to those users. Car analogy: private driveway or road versus main highway. The 1950s American bank robber Willie Sutton was asked why he robbed banks. He said he robbed banks because, “ That’s where the money is.” Today it’s in Cyberspace. Also talk Physical crime (stealing a car) is one to one relationship. Cybercrime is one to a billion. B esides the one to billion ration, the criminal can be anonymous and located anywhere. It’s not about you, it’s about gaining access to your system to collect your personal information, or use your computer to launch attacks or simple to use your hard drive to store pirated movies and music files. A compromised computer provides access to all accounts, keystrokes, and data. Account and keystroke information can be used to access other resources Operational difficulties Email and documents Financial transactions Identity theft Criminal use of computer
Defense in Depth or Layers of Defense Equate this to home security- My house ( front wall with a gate, security iron on windows and doors, a large dog, 2 locks on door Versus My neighbor (No wall or gates in front, No security Iron and oh yeah and let’s not forget their Chihuahua) Which house would a thief be more likely to break into? If you have some (ideally all) of these measures in place (personal firewall, anti-virus, up to date software, strong passwords as well as education in now knowing that you really can’t trust everything you get via email) versus someone that does not have security practices, who is more likely to have their computer compromised? It’s the same as my house analogy, it’s not that they absolutely can’t get in it will just take more time and effort. Anti-Virus Installed, Running and Updated regularly Sitelicensed Anti-Virus (Sophos) free for faculty, staff and students Can only have one Anti-Virus application installed if you already have an anti-virus regardless even if it is not up to date Anti-Spyware (spyware use to be use for tracking browsing habits, today spyware can be much more malicious in intent. Keyloggers are the lates type of spyware, a keylogger when downloaded on your computer captures everything Several free versions listed on computer security resources handout Unlike anti-virus, you can and should consider having at least two. The first time you run it, it is not uncommon to find 200 – 300 instances. Many of which are cookies. Physical Security OS and Application Patches Auto Updates Session Controls Limited Use of Privileged accounts Encrypted Communications Strong Passwords I will talk in more detail on the next several slides about the last 4 elements as I believe these are currently the areas of greatest exposure to end users. This is because even if you have the others in place (the AV, anti-spyware, current OS patches,etc.) the lack of these last 4 safeguards can and will circumvent those. Also because ultimately the data is where the money is for cybercriminals.
Passwords…..if I could get you to think differently about one thing today it would be to have a better understanding as to the importance of creating (AND NOT SHARING) a strong password. A password is essentially the last layer of defense to your computer and personal information. You can have every other safeguard in place, if someone gets your password they are now able to access the information. Best example for students is sharing their Netid with a “friend” or “significant other” and sometime after that this relationship ends and now that person can access anything of yours with your netid and password. I have had multiple reports of students having their class canceled by these “friends” that are no longer “friends”. Do not log on as administrator on a daily basis. That is only needed when you need or want to install or update current software. If you log on with these privileges all the time that means when you visit a malicious website with malicious intent the bad guy can just as easily install malicious software. Lock your computer if you are going to be away from it so that anyone that wonders by cannot gain access to your computer and information.
WPA2 – Wi-Fi Protected Access PEAP - Protected Extensible Authentication Protocol , Protected EAP , or simply PEAP (pronounced "peep" ) Guest requires UA sponsorship (not bandwidth or port limited also not secure) Public (bandwidth and port limited also not secure)
If you have a wireless router set up at home you need to make sure that it is configured securely Airports, Hotels, Conferences Use of Unsecured Wireless “Hot Spots Limit what you do when connected Do not access anything sensitive unless secure (https instead of http) Use UA’s sitelicensed VPN client to connect to University Systems and Services