1 / 120

<Speaker> June 2012

IT Security Awareness Workshop and Windows 7 & Office 2010 Briefing for Hong Kong Trade Development Council. <Speaker> June 2012. Objectives. The main focuses are: Improve security awareness among staff and to equip them with the latest/best information systems security practices

hong
Download Presentation

<Speaker> June 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Security Awareness Workshop and Windows 7 & Office 2010 BriefingforHong Kong Trade Development Council <Speaker> June 2012

  2. Objectives • The main focuses are: • Improve security awareness among staff and to equip them with the latest/best information systems security practices • Keep staff abreast of the latest information security trends, recent attacks, hot issues as well as smart tips in the working environment • Familiarize the Microsoft Windows 7 and Office 2010 environment • Understand and realize on the new functions and features of Windows 7 and Office 2010

  3. Outlines • Part 1: IT Security Workshop • Principles of Protecting Information Resources • Importance of IT Security • Best Practices of IT Security • Secure the Mobile Devices • Information Security Related Policies and Guidelines • Password Management • Prevention of Data Leakage • Social Networking • Security Incident Handling • Existing Encryption tools 3

  4. Outlines • Part 2: Windows 7 & office 2010 Briefing • Common features of Windows 7 • Interface change of Office 2010 • New File Format • Excel 2010 Enhancements • Word 2010 Enhancements • PowerPoint 2010 Enhancements • Outlook 2010 Enhancements 4

  5. Part 1: IT Security Workshop

  6. Try it out!! Self Assessment 6

  7. How much do you know about Information Security ? Q1. When there is a mail telling you that your computer has been infected by a virus and asking you to delete a file, what do you do? A. Follow what the email told you B. Forward it to others ASAP C. Verify with the IT Dept. before taking any actions 7

  8. How much do you know about Information Security ? Q2. How many characters are used for your password? A. 3 characters as it will not be forgotten easily B. As many characters as possible C. 8 characters with combination of letters and numbers 8

  9. How much do you know about Information Security ? Q3. During annual leave, your colleagues request your password to view a file, what will you do? A. Send to them ASAP B. Ignore their request C. Verify their needs and authorities before taking actions 9

  10. Results • If option ‘A’ is selected ≥ 2 times • Knowledge of IT Security should be enhanced • If option ‘B’ is selected ≥ 2 times • Knowledge of IT Security should be enriched • If option ‘C’ is selected ≥ 2 times • With a good knowledge of IT Security 10

  11. Principles of Protecting Information Resources

  12. Principles of Protecting Information Resources • Segregation of duties • A method of working whereby tasks are apportioned between different members of staff • Need to know and “least privilege” • Any object should have ONLY the privileges the object needs to perform its assigned tasks - and no more. • Control: Hard skills versus Soft skills • Hard skills - technical or administrative procedures • Soft skills - “people skills” such as communicating 12

  13. Principles of Protecting Information Resources • Some examples: • Administrative control versus technical control • A user with access to bare minimum of resources necessary to fulfill his job responsibilities (such as open a customer account). • A request of changing sensitive data should be BOTH endorsed by supervisor and systems administrator 13

  14. Latest Trends of IT Security • Wireless security (Fake hotspot) • Protecting Mobile devices (data loss, unprotected data storage) • Phishing (Fake email, websites) • Social Networking (speed of data transfer) 14

  15. Importance of IT Security

  16. Importance of IT Security Consequences of ignorance of information security may: • Breach confidentiality of data • Financial loss • Reputation loss • Damaging of data • Wastage of resource for processing 16

  17. The Ingredients of an Attack Motive + Means + Opportunity = ATTACK! 17

  18. Real Cases in Hong Kong and worldwide 18

  19. Mobile devices incident (14/5/2012) 19

  20. Social networking incident (15/5/2012) 20

  21. Best Practices of IT Security

  22. Major Areas of IT Security • Data security • Access control security • Physical security • Application security • System security • Network and Communication security • Social network security 22

  23. Data Security • Handle sensitive data (e.g. personal information) with extra care • Strictly follow the security regulations for data classification • Do not disclose information to unauthorized persons • Do not disclose the location of the information to unauthorized persons 23

  24. Data Security (2) • Information backup • Determine which data needs to be included • Select Hardware and Media • Floppy / CD-RW / CD-R / removable device, etc. • Save all important and classified data in a removable device, take it away or lock it up when not in use 24

  25. Access Control Security • Establish good passwords strategies (e.g. your pet’s name, change passwords as a regular basis) • Log out computers/sessions before you leave • Monitor your workstations closely to identify any access control breaches • Always beware the storages / handling of your passwords! 25

  26. Physical Security • Always look after the physical work environment around you, good examples are: • Check the power conditions • Workstation / Computer Display positioning • Storage of sensitive data • Disposal of information (such as printouts) 26

  27. Physical Security (2) • Due care with the access control credentials, such as: • Your passwords • Your Logon User ID • Your employee’s badge/door access cards 27

  28. Application & System Security • Protecting your Browser • Change your home page, delete the browsing history, change search settings, change tab settings, and customize the appearance of Internet Explorer • Change cookie and Pop-up Blocker settings • Protecting Emails • Do not reply email message to unknown sender • Do not send sensitive information (such as password) on the email message without proper encryption • Chain e-mail should be ignored • Check your email program that anti-spamming / anti-virus features should be enabled 28

  29. Network & Communication Security • General network protection • Do not connect any unauthorized device • Wireless – the new challenge • Am I really safe? • Internet surfing • Enable anti-virus software in the computer systems • aware about the sites you are surfing through. • necessary to have a clear idea about an e-mail before opening it. • avoid disclosing any personal information through a mail or message 29

  30. Try it out! • Analyse the following scenarios and determine it is a good or bad practices for securing IT resources • I choose “computer” as my login password on my workstation • I share the customer’s personal information to everyone • All information classified as CONFIDENTIAL or above must be encrypted. • I disable the anti-virus features on my Microoft Office Outlook in order to improve system performance

  31. Secure the Mobile Devices

  32. Common vulnerabilities on mobile devices • Cautious browsing • Not all browsers offer HTTPS(SSL) support • Sun Java • Flash Player • FLV Player • QR Code  • Jail breaking • Rogue Wi-Fi • Rogue GSM • Same social media abuses as on PC 32

  33. Securing Your Mobile Devices • Best practices • Never leave a Smartphone unattended • Enable auto-lock • Enable password protection • Do not use default password! • Keep the phone OS and Apps up-to-date • Enable remote wipe • You can wipe out the data on a lost iPhone or Smartphone with Windows Mobile if the phone uses ActiveSync to synch email. 33

  34. Example: Device Wiping Technique 34

  35. Example: Remote locking Technique 35

  36. Incident handling procedures • Recognizing security incident • any incident related to information security, which poses a threat to computer or network security in respect of availability, integrity and confidentiality. • Report to supervisor 36

  37. Information Security Related Policies and Guidelines

  38. Policy & Guidelines refreshment and amendment • IT Security Policy Revision • Information Classification • Secret • Confidential • Restricted • Unclassified 38

  39. Information Classification • Secret • Very Sensitive data with serious damaging impact to the Government or HKTDC, e.g. contract bids of HKCEC Phase III Development • Confidential • Sensitive HR data, e.g. criminal records, medical records • Restricted • Customers and financial data, e.g. customer name, address, email, telephone / fax etc; • unreleased internal management or business plan • Unclassified • Website of HKTDC provide information to public 39

  40. Safeguard for Sensitive Data 40

  41. Staff Exit Form and Procedure • Supervisor of the departing staff should fill in the form and submit to HR department 2 days before the staff leaves • HR should send to IT department 1 day before the staff leaves • IT will revoke all access rights including • NT Login • All filled applications, like EBMS 41

  42. Staff Exit Form Sample 42

  43. Password Management

  44. Common Usages of password and authentication tokens • Logon / Authentication Processes (e.g. Login to network computers) • Protect files / security instant (e.g. an electronic Spreadsheet) • Accessing Encryption Keys • Assessing sensitive resources • Protect User Interface (e.g. Screen saver) 44

  45. How to create secure passwords • Password principle – “Easy to Remember, hard to guess” • Do not write down your password on a slip of paper and stick it on anywhere • Password life cycle – Life cycle may vary, depending on data sensitivity, but normally no more that 90 days • Password should not be divulged or shared • Staff should not capture authentication tokens which could permit unauthorised access – Therefore NO Give & NO Take 45

  46. Importance of changing passwords frequently • If your existing password has been compromised without your knowledge, you instantly revoke access to anyone maliciously using your credentials • Eliminate Brute Force attack - If someone is actively trying to compromise your account, they need time to discover your password 46

  47. Tips on Password Management • Strong passwords • At least 6 - 8 characters long • Contain characters in each category: • Letters, numerals (0-9), symbols • At least one symbol character in the second through sixth positions • Different from prior passwords • Not contain your name or account user name • Not be a common word or name • Not a dictionary word 47

  48. Tips on Password Management (2) • DO’s • Change your passwords periodically (e.g. at least every 3 months); • Change default passwords for new systems immediately; and • Change password immediately if you suspect that a password has been compromised. • DON’Ts • DO NOT disclose your passwords; • DO NOT share your passwords; or • DO NOT use easily guessed passwords. 48

  49. Prevention of Data Leakage

  50. Storing Hard and Soft Data Securely • Best Practices • Segregation of data storage - separate the operating systems from the data to make repairing of the easier • Always perform backup in case of any kinds of data security incidents 50

More Related