Security and the Service Desk
- 1. Service Desk - Security Chris Prewitt
- 2. Service Desk – Why is it a threat?
- 3. Attacking the Service Desk
- 6. 6 Security is everyone’s concern The key to Security Awareness is found in the word itself: “Security… a team effort, but an individual responsibility” SEC- -Y
- 7. Employee Responsibility 7 The OPM hack, the RSA hack, and many others were initiated by an employee making 2 mistakes. First, clicking a link that led to malware. Second, not reporting it immediately when something weird happened. What can you do to help your company? Be aware; see something, say something *Malware is software that is intended to damage or disable computers and computer systems
- 8. Most Common Passwords (2017) 1. 123456 (Unchanged) 2. Password (Unchanged) 3. 12345678 (Up 1) 4. qwerty (Up 2) 5. 12345 (Down 2) 6. 123456789 (New) 7. letmein (New) 8. 1234567 (Unchanged) 9. football (Down 4) 10.iloveyou (New) 11.admin (Up 4) 12.welcome (Unchanged) 13.monkey (New) 8 14. login (Down 3) 15. abc123 (Down 1) 16. starwars (New) 17. 123123 (New) 18. dragon (Up 1) 19. passw0rd (Down 1) 20. master (Up 1) 21. hello (New) 22. freedom (New) 23. whatever (New) 24. qazwsx (New) 25. trustno1 (New) The password policy within Active Directory enforces password length, complexity, and history. This does not in any way control what the password is, just how long it is and what characters are inside of it. Many people will use easily guessable passwords like Winter2017 or Password!@# because they technically meet the standards but are easy for them to remember.
- 9. Is Your Password Secure? Ensure that your password: Is a minimum of 8 characters Is comprised of at least 3 of the following: • uppercase letter (A, B, C..) • lowercase letter (a, b, c…) • numeric (1, 2, 3…) • special character (#, $,*…) Has no sequentially repeated characters Rotate password every 90 days Is not a dictionary word Create or Use a passphrase Is never shared and (never written down) 9
- 10. Sensitive Data Types • Employee Data • Names, addresses, national ID or social security numbers • Employee Medical Information • Insurance, accidents • Financial Information/Payment Card • Credit Card information: internal and customer • Bank routing numbers • Consumer/Customer Information • Names, email addresses, login, passwords • Intellectual Property • Machine drawings, assembly instructions, chemical formulations, recipe • Source code, what’s your companies secret sauce? 10
- 11. How information is stored, transferred • Email • Corporate file transfer tools • File Servers • Online personal storage • Dropbox, Google Drive, OneDrive, Box.com, etc. • Password protected files (Office, Zip) • USB 11
- 12. Risks
- 13. Acceptable Use Policy - Email & Internet Limited personal use is permissible under most policies. However… Using company networks to access pornography or gambling sites is strictly prohibited. These tools are to help your productivity – not interfere with your job performance. Do not use e-mail to distribute files that are obscene, pornographic, threatening, or harassing. Do not open attachments or links in unknown or suspicious email. Using company resources to establish or maintain your own personal business should be strictly prohibited. 13
- 14. Data Leakage 14 Data Leakage is the unauthorized transmission of data (or information) from within an organization to an external destination or recipient. This may be electronic, or may be via a physical method. Be mindful that unauthorized leakage does not automatically mean intentional or malicious. Unintentional or inadvertent data leakage is also unauthorized. Examples Sharing confidential or restricted documents with anyone that shouldn’t see them. Storing confidential or restricted documents on non-Lincoln Electric assets, such as Dropbox, your home computer. Transferring confidential or restricted documents using your personal email or other methods.
- 15. Social Engineering Watch out for phishing attempts through email trying to trick you into providing sensitive information over the internet. Protect against “dumpster diving” - dispose of sensitive information properly (e.g., appropriately shredding sensitive paper documents). Social Engineering occurs when techniques such as trickery and manipulation are used to deceive associates into providing useful Company or personal information. This information can be used to gain unauthorized access to company’s most sensitive information assets. Here are some tips: Never give out sensitive Company information or your personal information over the phone, internet, e- mail, etc. 15
- 16. Phishing 16 Phishing email messages, websites, and phone calls are designed to steal information or money. Cybercriminals can do this by installing malware or malicious software on your computer. Cybercriminals also use social engineering to convince you to install malware or hand over personal information under false pretenses. You could be sent an email, at work or home, they could call you on the phone, or you may even see a popup asking you to download and run software.
- 17. Phishing Phone Calls 17 Treat all unsolicited phone calls with skepticism. Do not provide any personal information of yourself or co- workers. Cybercriminals might call you on the phone and offer to help solve your computer problems or sell you a software license. Neither Microsoft nor other partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.
- 18. Physical Loss Before After 18 What is the real cost of a lost laptop, tablet or smart phone? • How much private information could be stolen? • How many trade secrets? • How much will you have to spend to restore your customers' privacy? Not to mention their trust - or your reputation?
- 19. Response
- 20. Service Desk Responsibility Do you know who to call? Do you know what to do? What tools do you have? What is your responsibility? Why should the Service Desk care about Security? 1. Everyone’s Responsible for Security 2. Service Desks Are the Eyes and Ears of IT 3. Service Desks Can Communicate Information Security Messages to Users 4. Service Desks Have a Major Role to Play in Security Incident Management 5. Service Desk Staff Are Role Models