<Speaker> June 2012 - PowerPoint PPT Presentation

slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
<Speaker> June 2012 PowerPoint Presentation
Download Presentation
<Speaker> June 2012

play fullscreen
1 / 120
<Speaker> June 2012
196 Views
Download Presentation
hong
Download Presentation

<Speaker> June 2012

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. IT Security Awareness Workshop and Windows 7 & Office 2010 BriefingforHong Kong Trade Development Council <Speaker> June 2012

  2. Objectives • The main focuses are: • Improve security awareness among staff and to equip them with the latest/best information systems security practices • Keep staff abreast of the latest information security trends, recent attacks, hot issues as well as smart tips in the working environment • Familiarize the Microsoft Windows 7 and Office 2010 environment • Understand and realize on the new functions and features of Windows 7 and Office 2010

  3. Outlines • Part 1: IT Security Workshop • Principles of Protecting Information Resources • Importance of IT Security • Best Practices of IT Security • Secure the Mobile Devices • Information Security Related Policies and Guidelines • Password Management • Prevention of Data Leakage • Social Networking • Security Incident Handling • Existing Encryption tools 3

  4. Outlines • Part 2: Windows 7 & office 2010 Briefing • Common features of Windows 7 • Interface change of Office 2010 • New File Format • Excel 2010 Enhancements • Word 2010 Enhancements • PowerPoint 2010 Enhancements • Outlook 2010 Enhancements 4

  5. Part 1: IT Security Workshop

  6. Try it out!! Self Assessment 6

  7. How much do you know about Information Security ? Q1. When there is a mail telling you that your computer has been infected by a virus and asking you to delete a file, what do you do? A. Follow what the email told you B. Forward it to others ASAP C. Verify with the IT Dept. before taking any actions 7

  8. How much do you know about Information Security ? Q2. How many characters are used for your password? A. 3 characters as it will not be forgotten easily B. As many characters as possible C. 8 characters with combination of letters and numbers 8

  9. How much do you know about Information Security ? Q3. During annual leave, your colleagues request your password to view a file, what will you do? A. Send to them ASAP B. Ignore their request C. Verify their needs and authorities before taking actions 9

  10. Results • If option ‘A’ is selected ≥ 2 times • Knowledge of IT Security should be enhanced • If option ‘B’ is selected ≥ 2 times • Knowledge of IT Security should be enriched • If option ‘C’ is selected ≥ 2 times • With a good knowledge of IT Security 10

  11. Principles of Protecting Information Resources

  12. Principles of Protecting Information Resources • Segregation of duties • A method of working whereby tasks are apportioned between different members of staff • Need to know and “least privilege” • Any object should have ONLY the privileges the object needs to perform its assigned tasks - and no more. • Control: Hard skills versus Soft skills • Hard skills - technical or administrative procedures • Soft skills - “people skills” such as communicating 12

  13. Principles of Protecting Information Resources • Some examples: • Administrative control versus technical control • A user with access to bare minimum of resources necessary to fulfill his job responsibilities (such as open a customer account). • A request of changing sensitive data should be BOTH endorsed by supervisor and systems administrator 13

  14. Latest Trends of IT Security • Wireless security (Fake hotspot) • Protecting Mobile devices (data loss, unprotected data storage) • Phishing (Fake email, websites) • Social Networking (speed of data transfer) 14

  15. Importance of IT Security

  16. Importance of IT Security Consequences of ignorance of information security may: • Breach confidentiality of data • Financial loss • Reputation loss • Damaging of data • Wastage of resource for processing 16

  17. The Ingredients of an Attack Motive + Means + Opportunity = ATTACK! 17

  18. Real Cases in Hong Kong and worldwide 18

  19. Mobile devices incident (14/5/2012) 19

  20. Social networking incident (15/5/2012) 20

  21. Best Practices of IT Security

  22. Major Areas of IT Security • Data security • Access control security • Physical security • Application security • System security • Network and Communication security • Social network security 22

  23. Data Security • Handle sensitive data (e.g. personal information) with extra care • Strictly follow the security regulations for data classification • Do not disclose information to unauthorized persons • Do not disclose the location of the information to unauthorized persons 23

  24. Data Security (2) • Information backup • Determine which data needs to be included • Select Hardware and Media • Floppy / CD-RW / CD-R / removable device, etc. • Save all important and classified data in a removable device, take it away or lock it up when not in use 24

  25. Access Control Security • Establish good passwords strategies (e.g. your pet’s name, change passwords as a regular basis) • Log out computers/sessions before you leave • Monitor your workstations closely to identify any access control breaches • Always beware the storages / handling of your passwords! 25

  26. Physical Security • Always look after the physical work environment around you, good examples are: • Check the power conditions • Workstation / Computer Display positioning • Storage of sensitive data • Disposal of information (such as printouts) 26

  27. Physical Security (2) • Due care with the access control credentials, such as: • Your passwords • Your Logon User ID • Your employee’s badge/door access cards 27

  28. Application & System Security • Protecting your Browser • Change your home page, delete the browsing history, change search settings, change tab settings, and customize the appearance of Internet Explorer • Change cookie and Pop-up Blocker settings • Protecting Emails • Do not reply email message to unknown sender • Do not send sensitive information (such as password) on the email message without proper encryption • Chain e-mail should be ignored • Check your email program that anti-spamming / anti-virus features should be enabled 28

  29. Network & Communication Security • General network protection • Do not connect any unauthorized device • Wireless – the new challenge • Am I really safe? • Internet surfing • Enable anti-virus software in the computer systems • aware about the sites you are surfing through. • necessary to have a clear idea about an e-mail before opening it. • avoid disclosing any personal information through a mail or message 29

  30. Try it out! • Analyse the following scenarios and determine it is a good or bad practices for securing IT resources • I choose “computer” as my login password on my workstation • I share the customer’s personal information to everyone • All information classified as CONFIDENTIAL or above must be encrypted. • I disable the anti-virus features on my Microoft Office Outlook in order to improve system performance

  31. Secure the Mobile Devices

  32. Common vulnerabilities on mobile devices • Cautious browsing • Not all browsers offer HTTPS(SSL) support • Sun Java • Flash Player • FLV Player • QR Code  • Jail breaking • Rogue Wi-Fi • Rogue GSM • Same social media abuses as on PC 32

  33. Securing Your Mobile Devices • Best practices • Never leave a Smartphone unattended • Enable auto-lock • Enable password protection • Do not use default password! • Keep the phone OS and Apps up-to-date • Enable remote wipe • You can wipe out the data on a lost iPhone or Smartphone with Windows Mobile if the phone uses ActiveSync to synch email. 33

  34. Example: Device Wiping Technique 34

  35. Example: Remote locking Technique 35

  36. Incident handling procedures • Recognizing security incident • any incident related to information security, which poses a threat to computer or network security in respect of availability, integrity and confidentiality. • Report to supervisor 36

  37. Information Security Related Policies and Guidelines

  38. Policy & Guidelines refreshment and amendment • IT Security Policy Revision • Information Classification • Secret • Confidential • Restricted • Unclassified 38

  39. Information Classification • Secret • Very Sensitive data with serious damaging impact to the Government or HKTDC, e.g. contract bids of HKCEC Phase III Development • Confidential • Sensitive HR data, e.g. criminal records, medical records • Restricted • Customers and financial data, e.g. customer name, address, email, telephone / fax etc; • unreleased internal management or business plan • Unclassified • Website of HKTDC provide information to public 39

  40. Safeguard for Sensitive Data 40

  41. Staff Exit Form and Procedure • Supervisor of the departing staff should fill in the form and submit to HR department 2 days before the staff leaves • HR should send to IT department 1 day before the staff leaves • IT will revoke all access rights including • NT Login • All filled applications, like EBMS 41

  42. Staff Exit Form Sample 42

  43. Password Management

  44. Common Usages of password and authentication tokens • Logon / Authentication Processes (e.g. Login to network computers) • Protect files / security instant (e.g. an electronic Spreadsheet) • Accessing Encryption Keys • Assessing sensitive resources • Protect User Interface (e.g. Screen saver) 44

  45. How to create secure passwords • Password principle – “Easy to Remember, hard to guess” • Do not write down your password on a slip of paper and stick it on anywhere • Password life cycle – Life cycle may vary, depending on data sensitivity, but normally no more that 90 days • Password should not be divulged or shared • Staff should not capture authentication tokens which could permit unauthorised access – Therefore NO Give & NO Take 45

  46. Importance of changing passwords frequently • If your existing password has been compromised without your knowledge, you instantly revoke access to anyone maliciously using your credentials • Eliminate Brute Force attack - If someone is actively trying to compromise your account, they need time to discover your password 46

  47. Tips on Password Management • Strong passwords • At least 6 - 8 characters long • Contain characters in each category: • Letters, numerals (0-9), symbols • At least one symbol character in the second through sixth positions • Different from prior passwords • Not contain your name or account user name • Not be a common word or name • Not a dictionary word 47

  48. Tips on Password Management (2) • DO’s • Change your passwords periodically (e.g. at least every 3 months); • Change default passwords for new systems immediately; and • Change password immediately if you suspect that a password has been compromised. • DON’Ts • DO NOT disclose your passwords; • DO NOT share your passwords; or • DO NOT use easily guessed passwords. 48

  49. Prevention of Data Leakage

  50. Storing Hard and Soft Data Securely • Best Practices • Segregation of data storage - separate the operating systems from the data to make repairing of the easier • Always perform backup in case of any kinds of data security incidents 50