Cybersecurity Training November 2016

Introduction

Agenda

Training Concepts

  • Who cares about cybersecurity?
  • How do attackers gain information?
  • Email safe practices
  • Web browsing safe practices
  • Tablet/phone safe operation/hygiene
  • USB device safe operation/hygiene
  • Social engineering prevention


Objectives

  • Reduce the risk of cyber compromise
  • Educate on basic cyber hygiene
  • Protect sensitive business information
  • Understand external threat environments


Reducing the Risk of Cyber Compromise

Overview

Why do we need to care about cyber security?

Cybersecurity should be intrinsic to business decisions, just as legal and financial issues are

  • damages to assets
  • company reputation
  • loss of personnel


Information Exploitation

Market Forces Dictate Outcomes and Techniques

  • Personal data is an "ore" that can be refined in many ways
  • Financial data is risky to attain, but desired
  • Other motivations exist (nation/state, hacktivists)
  • Trade secrets/intellectual property
  • Personally Identifiable Information (PII)

Personally Identifiable Information

PII - Information that can identify, contact or locate a single person

  • Accounting - Accounts Payable
  • Joint Venture Partners - Distributions
  • Investors in the Fund
  • Human Resources - Employee Benefits & Payroll

Connecting the Dots

Connecting the Dots

Professional, social, and government sources of information, not just technical.

  • LinkedIn, PR, trade references
  • Facebook, local events
  • Property, real estate, corporate records

Cyber Attacks in the News


What does this mean for RIAs?

Discussion Points

On June 8, 2016, the US Securities and Exchange Commission ("SEC") brought and settled charges against a registered broker-dealer/investment adviser (the "Registrant") for failure to implement reasonable security policies and procedures in violation of the Gramm-Leach-Biley Act's "Safeguard Rule," which was adopted as part of Regulation S-P. These alleged violations (the Registrant settled without admitting or denying the SEC's findings) appear to have been self-reported to the SEC by the Registrant following its discovery of two data security incidents - one caused by the criminal misconduct of a registered representative (the "Employee") and another caused by hackers who targeted the Employee. The incidents involved personally identifiable information ("PII") and other data associated with approximately 730,000 customer accounts belonging to 330,000 different households. 

What does it mean for RIAs?

  • SEC encouraging RIAs to review their information security measures
    • Sept 15, 2015 Risk Alert
      • Governance and Risk Assessment
      • Access Rights and Controls
      • Data Loss Prevention
      • Vendor Management
      • Training
      • Incident Response
    • Administer an annual cyber security program
    • Draft an implement an enforceable Information Security Management Plan
    • Hold your third-party vendors accountable

Fill in the blanks with the appropriate reasons as to why cybersecurity is important.

A lack of cybersecurity can lead to damage to , and a

Which of the following are ways attackers gain information?

  • Examining employee LinkedIn and Facebook posts
  • Approaching employees at local events
  • Researching property, real estate, and corporate records
  • Using a proxy server to gain access to the company's VLAN

Cyber Hygiene Part 1

Overview

Email Behavior

Best Practices

  • Use accounts for intended purposes, personal vs. work
  • Phishing emails look real but have malicious links or attachments
  • Go directly to website rather than clicking on links in email
  • Typical suspicious themes:
    • Third-party vendors asking for funds to be wired to foreign banks
    • Benevolent do-gooders sending money
    • Questions that could lead to defamation scenarios
    • Emails impersonating Rubenstein executives
  • Never click embedded links directly in emails (or web pages), copy and paste them into a notepad application to verify their legitimacy
  • If you receive an attachment, make sure you were expecting it, or ask the sender if they indeed sent you an attachment
  • Don't click on links that take you to a social media platform
  • When in doubt, call IT

Cyber Hygiene Properly Executed


Phishing Attacks

Did you know most malware originates from phishing?

  • Many advertisers use hidden embedded images to gain information about the network and the machine that reads the message
  • When an email client requests the images from a message, it makes a call to the sender's server that records the information passed by the client
  • This method of information gathering can be used by insidious individuals to stage phishing attacks against targeted machines
  • Avoid downloading images embedded in emails from non-trusted sources



Doppelganger


Legitimate Site with SSL


If you are suspicious of an email you just received, what is/are the correct course of action(s)?

  • Ask the sender if they indeed sent you an attachment
  • Call IT
  • Click embedded links to verify legitimacy
  • Take note of the "Reply-To" address

Choose the image that shows a phishing attack.

Choose the image that shows a doppelganger.

Cyber Hygiene Part 2

Overview

Social Networking Guidelines

  • Be cautious of what information you post
  • Tighten your security settings to restrict who can see your information
  • Be aware that your friends may be posting information on you that you do not want public
  • Don't click on emails that claim to originate from social networking sites
  • What out for third-party applications
  • Displaying a link to an Adviser website or the disclosure of an Advising website on any social networking platform is prohibited per the Rubenstein Partners policy. 

Password Management

  • Don't reuse passwords
  • Change your password frequently
  • Never share your password
    • No one should ask for your password online or over the phone
  • Use a long key so it cannot be cracked
  • Guidelines for creating a password:
    • Upper and lower case characters
    • Alphanumeric
    • Special characters
    • At least 12 characters long
    • No words from the dictionary
    • Example: [email protected]*

Mobile Platform

Mobile Phones/Tablets

  • Thieves primarily steal or hack phones in order to steal an identity
  • Beofre installing apps, read the reviews and the history of the developer
  • Always enable PIN for unlocking the phone
  • Disable Wi-Fi and Bluetooth when not needed
  • Disable all location access for apps unless absolutely necessary
  • Keep apps and operating systems updated
  • USB drives...avoid!

Social Engineering Prevention

  • Don't be afraid to ask questions
  • Always ask for credentials in person and on the phone
  • Second guess what you see and hear
  • Piggybacking off of an access badge into a restricted location
  • Manage your digital footprint
    • Just because it's free to register for a service, doesn't mean they're not benefiting...information is $$$
    • Don't use a USB drive you found, or if its origins are suspect

The Traveling Executive

  • Never connect to a public Wi-Fi network
  • Use your phone to create a hot-spot to provide Internet access to your other devices
  • Sanitize electronic devices before traveling
  • Manage removable storage devices
    • Never put sensitive info on USB keys that are not encrypted

What is an example of a strong password?

  • 123456789
  • G*rbea8$e
  • qwerty123
  • johndoe

Match the correct best practice to the issue.

  • Mobile Platform
    Disable location access for applications
  • Social Engineering
    Always ask for credentials and be aware of others piggybacking off of your access badge into a restricted location
  • Social Networking
    Tighten your security settings to restrict who can see your information
  • Traveling
    Create your own hot-spot rather than connect to a public Wi-Fi network