(Solved Homework): 1. Either at your school or place of work, locate at least one instance of a security awareness campa…

Answer:

Security awareness campaign:

Strong passwords

passwords do nots

Email usage guidelines

Internet guidelines

Physical Access security

phishing

Clear desk and clear screen

smishing

Viruses

Protect your Data

Strong passwords:

Passwords are a primary means to control access to systems and should therefore be selected, used and managed to protect against unauthorised discovery or usage.

Passwords provide the first line of defence against improper access and compromise of sensitive information.Weak passwords are passwords that are easily guessable, crackable and vulnerable to attacks. Weak passwords make it very easy for hackers to gain access to an account and could lead to substantial financial loss and identity theft. Strong passwords should include the following best practices: –

• Should not be left blank.
• Must be at least eight characters in length.
• Must contain a character from three of the following four character sets: –

  – Lower case characters (e.g. a to z)

  – Upper case characters (e.g. A to Z)

  – Numeric digits (e.g. 0 to 9)

  – Character symbols (e.g. + = ( ) & % ! ? > <)

• Should not include three or more consecutive characters from your login or full name.
• Should not be a word in any language, slang, dialect, jargon, etc. (e.g. the word password is a weak password).
• Should not include your name, common names of people or places, technical jargon, repeating sequences and keyboard sequences.
• Should not be written down or stored on-line.
• Should be easily remembered. One way to do this is to create a password based on a song title

Passwords do nots:

• Do not use the same password on multiple accounts. If one account is breached, the others will be at risk as well.
• Do not enter passwords when others can observe what you are typing.
• Do not write down your passwords.
• Do not reveal your password with anyone.
• Do not share your password with your supervisor, manager, partner, your children, your friends, etc.
• Do not walk away from a shared computer without logging off.
  • Always log out of systems / applications when they’re not in use
  • Lock your computer when not in use
  • Do not leave an application unattended if it is logged in or unless a password protected screen saver is in place
  • Change your password immediately if you suspect that others know your password

Email usage guidelines:

E-mail is an efficient and timely communication tool used to conduct business within Government, businesses and citizens. E-mail has become an important component of any office automation system. E-mail facilitates the exchange of information, speeds up the decision making process and reduces paperwork, resulting in increased productivity, reduced costs and ensures better delivery of services. Please be guided by the following good practices: –

Dos

• Do check the address line before sending a message and check you are sending it to the right person/s.
• Do respect the legal protections to data and software provided by copyright and licences.
• Do treat all e-mail with suspicion. What you see in the e-mail body can be forged, the sender’s address or return address can be forged and the e-mail header can also be manipulated to disguise its true origin.

Do Nots

• Do not use e-mail to send or forward material that could be seen as confidential, political, obscene, threatening, offensive or libellous.
• Do not auto forward gov.mt e-mails to any private e-mail accounts.
• Do not forward chain letters, junk mail, jokes or news flashes.
• Do not use e-mail for monetary gain, political purposes or illegal activities.
• Do not use the Government of Malta data or computing resources/systems to violate state laws and regulations.
• Do not download and/or distribute copyrighted materials including print, audio, and video.
• Do not download e-mail attachments from unknown sources.
• Do not include any confidential information in an e-mail message.
• Do not send offensive, libellous, defamatory, racist, obscene, pornographic, harassing or threatening messages, hate mails, discriminatory remarks and other anti-social behaviour messages.
• Do not use e-mail to spread computer viruses, damage or destroy data, infiltrate systems, damage hardware or software, or in any way degrade or disrupt the network performance.
• Do not send e-mail messages using another person’s e-mail account.
• Do not disguise or attempt to disguise your identity when sending out an e-mail.
• Do not use e-mail for private business.

Internet uasage guidelines:

Dos

• Do be careful when using the Internet – remember you’re representing the Government of Malta.
• Do verify that before installing any software, the software has been obtained from a reputable source and legally.
• Do a virus scan check on any downloaded files prior to opening.

Do Nots

• Do not visit sites that contain obscene, hateful, pornographic or otherwise illegal material.
• Do not store confidential Government data on third party sites as you do not know where these documents might end up.
• Do not perpetrate any form of fraud or piracy.
• Do not send offensive or harassing material to other users.
• Do not hack into unauthorised areas.
• Do not disclose your password.
• Do not use the Internet to conduct any personal business or for commercial or promotional purposes.
• Do not install or use peer-to-peer (P2P) software.
• Do not redistribute downloaded material unless the owner has given permission in the copyright/licence terms.
• Do not use someone else’s password to gain access to the Internet.

Physical Access security:

Dos

• Do ensure that your visitors have signed the visitor’s log book and that they are escorted at all times.
• Do report a lost, stolen or damaged electronic identification tag to the department concerned.
• Do escort visitors in restricted areas of information resource facilities.
• Do notify administration/security with any abnormal movements of unfamiliar individuals within the premises.
• Do report to administration/security any violations, namely:

– Refusal to wear the electronic identification tag visibly;

– Manipulation of the automatic door closing mechanism;

– Use of another person’s electronic identification tag;

– Unescorted visitors.

• Access to computer rooms can only be given when an authorised staff member is inside and will supervise the visitor’s movements completely or hand over to successive staff.
• Do restrict physical access to servers to authorised staff.
• Do Nots
• Do not follow closely behind another person so as to gain access to an area requiring the use of an electronic identification tag (tailgating).
• Do not give, share or loan your electronic identification tag

Phishing:

Phishing is a technique used to gain personal information for purposes of identity theft by using fraudulent e-mail messages that appear to come from legitimate sources. The message may look quite authentic, featuring corporate logos and formats similar to the ones used for legitimate messages.

In any working environment, different people hold information that can be considered sensitive or else can be particularly useful to outside parties. A Phishing attacker will make use of non-technical methods (such as social engineering which is the practice of deceiving someone into revealing passwords or other information that compromises the security of a system) to gain that information.

A good number of Phishing attempts make use of e-mail to reach out to millions of possible victims. Such e-mails look very similar to the website of the company that these e-mails claim to be coming from.

When you think of Phishing, think of fishing. Similar to how anglers use bait to lure fish, online scammers use certain tactics to lure us into giving them our valuable information under false pretences. Since information is so readily available to everyone via the Internet, recognising online threats will help prevent us from falling victims to such attempts.

• What you see in the e-mail body can be forged, the sender’s address or return address can be forged and the e-mail header can also be manipulated to disguise its true origin. Unless the e-mail is digitally signed you can’t be sure it wasn’t forged or ‘spoofed’.
• Never reveal information, such as passwords, to anyone making contact with you.
• Do not forward any credit card details and/or bank account numbers through e-mail.
• Do use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly.
• Do not reply to any e-mail asking to verify your personal data. You will find that legitimate vendors and merchants do not send such requests via e-mail.
• Never send personal or financial information to any one via e-mail.
• Ensure that all of your software is up to date – for instance, if you use Microsoft Windows, run Windows Update every day when you first connect to the internet. If you use other operating systems or browsers then check daily for patches or updates. Security loop-holes are regularly discovered in software.
• Make sure you’re on a secure Web server when submitting credit card or other sensitive information via your Web browser. Check the beginning of the Web address in your browser’s address bar – it should be “https://” rather than just http://.
• Report any Phishing incidents immediately to your supervisor or line manager.

Clear desk and Clear screen:

Papers and computer media containing classified information must be stored safely when not in use. This will reduce the risks of compromise, unauthorised access and disclosure, loss of, and damage to government information.

Employees must lock their computers when leaving their desk and log-off when leaving for an extended period of time. This ensures that the contents of the computer are protected from prying eyes and the computer is protected from any unauthorised use. Computers left unattended provide the opportunity for malicious data input, modification, or deletion, often with a negative consequence to the actual employee.

Remember, users are held accountable for all their PC activities entered through the User ID whether or not the user was present at the time.

Clear Desk

• All classified information must be removed from the desk and locked away in a drawer or in a filing cabinet.
• Passwords must not be written down and stored near a computer or in any other accessible location.
• Copies of documents containing classified information must be immediately removed from printers/fax machines.
• Documents or magnetic media, or other removable media such as CDs, DVDs etc should be safely stored away.
• Classified information must not be left unattended on or around the working area.
• Desks must be cleared at the end of each working day (excluding 24 hour environments).
• Classified information must be locked securely in desks, filing cabinets or rooms at all times, unless they are currently in use.
• Filing cabinets containing classified information must be locked when not in use or when not attended.
• Personal items (i.e. keys, handbags, wallets, etc) must be locked away safely for security purposes. It is the responsibility of the owner to ensure that all security precautions are taken.

Clear Screen

• Users must shut-down their computers at the end of the working day.
• Locking the screen not only prevents someone else from using the PC, which is logged on in the user’s name, but it also prevents someone from reading classified information left open on the screen.
• Lock workstations (computers, laptops and windows terminals) when unattended by pressing Ctrl-Alt-Del. At the end of the working day close down all the applications and log off/shutdown the workstation.
• Laptops must be stored securely and not left on desks when the user is not in attendance at the office. Laptops are not to be left at any site or premises where the user cannot be sure of its security.
• Laptops must be either locked with a locking cable or locked away in a drawer or cabinet when the work area is unattended or at the end of the working day.
• All knowledge, information and access to information should be handled responsibly. It is the responsibility of each user to consider the security of the information they have access to and to protect that information accordingly.
• Remember that the laptop and the information stored on the laptop is the user’s responsibility.
• Electronic data and equipment shall not be treated differently from manual records and equipment, as they contain the same type of classified and/or personal information. Computer and all other equipment containing data should therefore be treated with the same level of security as paper based resources.
• Computers and laptops must not be left logged on when unattended, and must be protected by passwords, screensavers and other security controls that are available.
• Screens must be locked by the user when leaving their computer terminal, irrespective of the amount of time spent away from the unattended screen.
• Don’t position your screen in a way that sensitive information may be read by others.

Smishing:

Identity thieves have found a new way to get to your personal information through your cell phone by pretending to be legitimate businesses or financial institutions. This practice is known as SMiShing and you don’t have to use your computer to be vulnerable to online scammers.

SMiShing is a type of social engineering that uses cell phone text messages to persuade victims to provide personal information such as credit/debit card details, PINs, etc. SMiShing is a derivative of Short Message Service (SMS, which is the communications protocol used for sending text messages on cell phones) – plus Phishing. The incoming text message, which contains a virus, will be a legitimate looking website address or more commonly, a phone number that connects to an automated voice response system, which then asks to confirm your personal details.

Herewith are some examples about how an individual can protect himself/herself against SMiShing:

• Never reply to SMSs, calls or e-mails on transactions that you did not perform.
• Never reply to a text message asking you for confidential information.
• Never click on any website links found in unsolicited SMS or Multi-Media Messages (MMS) from unknown sources. Do not reply to such SMSs and delete them immediately.
• Call your cell phone service provider to unsubscribe you from the list that sent you the original text message.
• Keep your cell phone number confidential and share it only with known sources such as friends and relatives. If you put it on your business card, be careful whom you give it to.
• Avoid entering your cell phone number on websites to get free ringing tones or other free offers.
• Always remember that your cell phone is just as susceptible to SMiShing as your computer is to Phishing.
• Use your password to secure your handset. Apart from the default factory settings create a combination that won’t easily be guessed by others, and set up the device to automatically lock up if not used for a few minutes.
• Do not enable automatic log-in because it will store your username and/or password in the device itself.
• Never store reminders of your username and/or password in your contacts list or as a text message.
• Download applications from a trusted site. Do not download illegal software as this might contain a virus.
• Check regularly for security patch updates on your phone. Enable automatic updates and install anti-virus software and other security software such as firewalls, where possible. Make sure the sources are genuine.
• Be aware that message headers can be forged easily, so the posing sender may not be the real sender.
• Avoid connecting to unencrypted wireless access points. Use encrypted wireless connections of known sources.
• Where possible, encrypt data on your cell phone.

Viruses;

What is Malware?
Malware (or MALicious softWARE) is software which gets onto your PC and causes viruses, worms or Trojans to run without you even knowing. You will never know that you have Malware on your PC until you begin to experience system degradations or system crashes.

How does Malware work?
Malware hijacks your PC and uses it for malicious activities. Once Malware sneaks into your PC, it is capable of spying on your surfing habits, logging your passwords by observing your keystrokes, stealing your identity, reading your e-mail, hijacking your browser to web pages that phish for your personal information and a variety of other invasive tactics.

How does Malware get onto my PC?
Basically, Malware is a computer programme that invades your system when you open e-mail attachments, visit websites, when opening instant messaging sessions or during file-sharing sessions.

Why is Malware used?
It is difficult to know why people write these malicious programmes. Everyone has his/her own reasons. Some general reasons are to experiment how to write viruses or to test their programming abilities and talents. Some people just like to see how the virus spreads and gets ‘famous’ around the world.

What is Spyware?
Spyware, sometimes called a spybot, is a program which installs itself on your PC (usually without your permission) in order to monitor (spy) all your activities on your PC and online.

How does Spyware work?
Spyware works by running a programme behind the scenes of your PC. You are unlikely to know that you’re being monitored. Some types of Spyware will run to cause a nuisance on your machine by launching advertising pop-ups or changing the browser homepage. Other things which come under the Spyware spectrum include tracking cookies, which collect information from thousands of sites to see who visits what and when, along with other things which bury themselves deep into the PC memory and track other data.

How does Spyware get onto my PC?
Spyware is software that is downloaded on your PC as a result of clicking on certain ads on the Internet. Spyware will bombard you with pop-ups and will place hyperlinks on websites for Spyware advertisements instead of the real advertisements.

The developers of Spyware use the weaknesses of internet browsers and the naivety of inexperienced PC users to their advantage to get their Spyware downloaded on your PC. If the Spyware programme is particularly malicious it will bury itself into the machine. This means that even if you delete it from the machine, it will come back again unless removed professionally or by using specialised removal software.

Why is Spyware used?
The aim of some Spyware programmes, as the name suggests, is to spy on your PC activities. The intent is to capture personal data (i.e. passwords, credit card details, etc.) and transmit that data back over the Internet to a malicious source. When you enter information, it is transmitted to a server and this information can then be used, for example, to purchase goods by using your bank account details or to use your information for other fraudulent purposes.

What is Spam?
Spam is any unsolicited communication received electronically. Typically, we think of e-mail but instant messaging can also be a source of Spam. Spam can be an entry point for Spyware or Malware.

How does Spam work?
Spam is the mass mailing of a single e-mail to thousands or millions of recipients. The Spam perpetrator, known as the spammer, obtains a list of valid e-mail addresses from one of several sources, then fires out as many e-mails as the spammer wants, hoping to get a percentage of profitable responses. The spammer can send out thousands of e-mails in a very short period with really no expense other than the bandwidth necessary to mail out all those e-mails or just the cost of the Internet connection itself.

The second most common source of Spam is the many e-mail propagating viruses, or ‘worms’ on the Internet. Once a PC is infected with one of these programmes, it will e-mail a copy of the virus accompanied by a deceptive message, to every e-mail address known by the system (on your address book). If these e-mails are opened, the worm will reproduce itself exponentially creating more junk e-mail.

How does Spam get onto my PC?
Many companies have special software that can extract e-mail addresses and put them into a database to sell. Many companies also search the web looking for web addresses containing the symbol @. From these, they can find valid e-mail addresses.

Why is Spam used?
Many spammers can buy a database from companies with millions of valid e-mail addresses and use them to advertise. These e-mail addressees are composed of addresses used on websites, newsgroups, chat rooms, etc.

What is Adware?
Adware is software that displays advertising banners, re-directs you to websites and otherwise conducts advertising on your PC.

How does Adware work?
Adware is software which installs itself onto your PC with the intention of promoting adverts depending on the information it captures about the victim.

How does Adware get onto my PC?
There are many ways in which Adware can get on your PC. The most common way is through attachments in unsolicited e-mails. When you open the attachment, it will install itself on your PC and might give someone else access to your computer while you are connected to the Internet.

Why is Adware used?
Adware programmes will often pop up adverts depending on the searches you conduct. This is a source of revenue for Adware authors as they will get a small amount of money every time an advert shows. If this operates on a global scale, the authors will soon become rich in a very short time.

Summary of possible problems caused by these threats:

• Lots of pop-up windows in the web browser;
• Cascading windows that cannot be closed;
• Slows PC and gets worse over time;
• Takes up large amounts of hard disk space;
• Reduces Internet speed;
• Cannot access the Internet;
• Restarts PC on its own;
• Freezes up Web browser;
• Home page changed in web browser and cannot be reset;
• Changes in web browser such as unfamiliar links in Favourites, different default search engine and new buttons on toolbar;
• New shortcuts appear on the desktop, the task bar, or even the system tray that the user did not put there;
• Firewall and anti-virus software mysteriously turned off;
• Firewall alerts the user to an unknown program or process trying to access the Internet, or one trying to access the PC.