1

An Executive's Guide to Security: Understanding Security

Threats
Objectives

 describe what an attack surface is and how it must be understood in order to protect
corporate information
 specify what network hardening is and how it relates to the protection of corporate
information
 discuss network demilitarized zones and how they help protect corporate information
 describe the differences between threats, vulnerabilities, and risks in a corporate
environment
 specify the top kinds of security threats facing organizations today
 discuss the common types of security attacks and how they each pose a risk to
organizational data
 describe the role physical security plays in the protection of corporate data
 specify how social engineering is conducted and how it can be mitigated through corporate
policy
 discuss the importance of corporate security policies and why they should be strictly adhered
to
 describe the importance of password policies and why they should be adhered to
 specify the reasons why IT administrators need to protect an organization by refusing to
bend the rules
 describe security threats, network hacks and attacks, and the human element in protecting
organizational information

Instructor
Jamie Campbell

Companies that do not understand threats facing their information are at risk of costly
data breaches. In this 13-video course, learners can explore common security threats,
types of network attacks, and the human element of security threats. Key concepts
covered here include what an attack surface is, and how it must be understood to protect
corporate information; and what network hardening is and how it relates to protection of
corporate information. Next, learners will examine network demilitarized zones and how
they protect corporate information; observe differences between threats, vulnerabilities,
and risks in corporate environments; and study top kinds of security threats facing
organizations today. Continue by learning the role that physical security plays in
protecting corporate data; how social engineering is conducted and how it is mitigated
through corporate policy; and the importance of corporate security policies, and why they
should be strictly adhered to. Finally, explore the importance of password policies and
why they should be adhered to; and learn reasons why IT administrators need to protect
an organization by refusing to bend rules.

Table of Contents

1. Course Overview
2. Understanding the Attack Surface
3. Network Hardening Explained
4. What is a Demilitarized Zone?
5. Threats vs. Vulnerabilities vs. Risks
6. Top Security Threats
7. Types of Attacks
8. Physical Security
9. Social Engineering
10. The Importance of the Corporate Security Policy
 2

11. Password Protection Policies

12. Why Never to Ask an Admin for Favors
13. Exercise: Describe Security Threats

Course Overview

[Video description begins] Topic title: Course Overview. [Video description ends]

Hi, I'm Jamie Campbell. With almost 25 years under my belt as an IT consultant,
marketing and communications expert and professional writer, I'm a technology
enthusiast with a passion for gadgets and a flare for problem solving. I've worked in the
IT, publishing and automotive industries and I'm also an accomplished web designer.

Additionally, I've been a technology instructor, I write for various tech blogs, and I've
authored and published four novels. Breaches of company information are reported on a
regular basis. And it has never been more important that companies protect their
information. Organizational leaders must lead the charge.

But it's often a challenge to understand the risks and security principles designed to keep
an organization safe. Companies that don't understand the threats facing their information
are at risk of costly data breaches.

In this course I'll discuss a variety of common security threats, the different types of
network attacks, the role physical security plays in the protection of corporate data, and
the human element of security threats.

Understanding the Attack Surface

[Video description begins] Topic title: Understanding the Attack Surface. Your host for
this session is Jamie Campbell. [Video description ends]

In this video I'll discuss what an attack surface is and how it must be understood in order
to protect corporate information. You may have heard the term attack surface or the term
attack vector and these two terms generally define, for network administrators, and a
network's vulnerability.

When we speak about attack surface, what we're describing is the total combined nodes,
users, devices and any entry points of a software environment, network environment and
business environment. In other words, the attack surface represents all possible
vulnerabilities for a network. To better understand the attack surface, it helps to visualize
what it might look like.

[Video description begins] A diagram displays illustrating an example of an attack

surface. The diagram is arranged in three concentric rings. The inner ring shows an
office, a system of nodes, and a server. The middle ring has routers, a system of nodes,
and servers. The outer ring shows servers, a system of nodes, mobile devices, laptops,
and applications. [Video description ends]

We have many different ways to access company network information today, beginning
with the internal servers and workstations. Those have been around for a while now. But
we have other vectors, and that's the other term you need to know, with each vector
increasing the size and scope of an attack surface. This can include things like remote
workers and remote offices, apps and data in the Cloud, devices that employees use in the
 3

course of business, so phones and tablets. Each new attack vector presents a risk and a
challenge, and IT administrators need to ensure that these vectors are secure in order to
protect a network.

As I mentioned, there are several kinds of attack vectors and they can be broken into lots
of categories. For the sake of simplifying things, let's break them down into four general
categories. First is software. Software is an absolute necessity for getting work done. But
it's risk lies in the fact that there's an almost unlimited amount of vendors creating an
almost unlimited amount of applications. While companies have learned over the years to
lock down what users can and cannot install inside a company's firewall. Things have
gotten more complicated in the past 10 years or so.

The network of course, is an attack vector. It's how hackers and unauthorized users try to
gain access to the information secured behind the firewall. Mobile devices are the new
threat really. Because while administrators can relatively easily define what software
users can and cannot install. It becomes significantly more difficult to control what apps
are installed on phones and tablets if those devices are personal devices that employees
use to connect to the company network.

And then there's the physical attack vector which for the sake of simplification represents
every door, server room, wireless router, network access point and internal computer
connected to a company network.

Generally attacks come in two forms. The first is passive where a hacker monitors a
network's activity and scans for vulnerabilities on that network. Because it's just watching
and not actively trying to penetrate that network, it's not always obvious that they're
there. The purpose of this kind of attack is to recon the network and its activity often with
the intent of developing an attack plan.

Active attacks on the other hand go further with hackers actually gaining access to and
perhaps modifying information either by burrowing in through a vulnerability, an attack
vector. Or intercepting information that comes out and goes out to the network.

So why is the attack surface such a problem for organizations? Well, the surface has been
growing for a while now thanks to advances in technology. 20 years ago, you had servers
and workstations, internal network access points, and that was pretty much your attack
surface. Today, we have numerous new kinds of entry points, like wireless routers, for
example. We have new kinds of devices that connect to an organizational network,
tablets and phones, for example.

In addition to all that, we're seeing more sophisticated hacking tools. There are actually
tool kits that you can purchase on the dark web, making it relatively easier for people
who aren't hardcore hackers. And new kinds of exploits, the tricks and methods used by
hackers to gain access. Then there's BYOD, bring your own device. Many companies
have realized that it's next to impossible to stop people from bringing their personal
phones and tablets to work.

And in fact, recognized an opportunity to give those devices connectivity for two basic
reasons. First, because it saves money, now that's up for debate, but I won't get into that
here. You don't have to give them a work phone is the basic idea. Second, it can add to
productivity because employees won't be tethered to their desks. However, as I've
discussed, personal devices have greatly increased the attack surface. Especially when
employees don't pay much attention to the apps they're installing.
 4

Network Hardening Explained

[Video description begins] Topic title: Network Hardening Explained. Your host for this
session is Jamie Campbell. [Video description ends]

In this video, I'll discuss the importance of network hardening and how it relates to the
protection of corporate information. So what is network hardening? Well, it's lots of
things, but let's start with a quick definition of attack surface because we need to
understand that and why networks are vulnerable. An attack surface is all the nodes,
users, devices and entry points, all the vulnerabilities of a software network and business
environment. It's every potential entry point for a hacker.

In network hardening, we utilize multiple techniques to ensure that the network is as

secure as possible. Minimizing the risk associated with all the entry points. This is a
multitiered procedure using techniques like strong password policies, ensuring the
software is secured, patching software vulnerabilities, securing network ports, utilizing
intrusion prevention systems. Having strong malware detection software and hardware,
dealing with stale and outdated accounts, and reducing the amount of unnecessary
software and services. Essentially, you're hardening the network's defenses by mitigating
the common attack vectors and having active defenses against attacks.

Some of the common holes in a network that we target for network hardening include
open network ports. Network ports are used for communicating in a network, both
internally inside the network and externally out to the Internet. For example, when you
use a web browser to surf the Web, you're using port 80 or port 443, the latter being for
secure encrypted connections.

Different kinds of software use different ports and many of them are for legitimate uses.
Then there's old or discontinued software. This represents a sizable challenge for network
admins because we sometimes need old legacy software, and organizations often move
slowly to update to newer software, operating systems, for example. The problem is
compounded when you're talking about hundreds or thousands of systems in an
organizational network. Same with unpatched software. There used to be a time not long
ago when you waited for the next release of an application or OS, and it could be months
or even longer.

Now, depending on the vendor, we're seeing software updates on a weekly basis for a
couple of reasons. First, bandwidth allows us to do that, but more than that, software
development isn't perfect. And vendors, when they detect new vulnerabilities or security
risks want to get the patches out to their installed base as soon as possible. But there also
has to be a procedure to ensure that new software patches don't break functionality.

Recently, a major software developer pushed out an update to its OS and within a matter
of days, some frustrated users were reporting that the update had deleted their personal
files. That's an extreme example but it did happen and organizations often want to test an
update to make sure that it won't disrupt employees in their work activities. And another
common hole is Wi-Fi routers.

Wi-Fi has been with us in a useful manner for 20 years or so. And add to that the sheer
number of wireless devices that people bring to work, and you have a headache for
admins. Not just that, but many organizations offer guest Wi-Fi for visitors to their
business. So that represents a major attack vector that needs to be part of the network
hardening process.
 5

Generally, there have to be two basic roles in the network hardening process. The first is
the admins, the people who actually perform the hardening. They identify security holes
in a number of ways, ranging from the very obvious, like locking down unused network
ports, and installing firewalls and malware detectors. To more active and aggressive
forms of network hardening. One of those methods is something called penetration
testing or pen testing for short. Pen tests are simulations of hacking attacks where IT
professionals actively try to break into a network to identify security gaps and lock them
up.

On the other hand, an IT admins sometimes forget about this group as a way of helping to
secure a network, but there's the users. Some admins may regard users as the problem,
but users are on the frontline. They're in the trenches everyday doing recon if you will. So
they're a valuable resource because if they're properly trained to recognize potential
security gaps, they can advise an admin when they detect a problem. This kind of
advocacy is important but not all organizations recognize the importance of keeping their
employees informed and making them realize that they have a vested interest in
protecting the network too.

Now let's focus for a moment on other issues surrounding network hardening, specifically
some of the things that good network admins want to keep on top of and employees need
to be aware of.

The first is something called zero-day vulnerabilities or simply zero-day. This refers to a
phenomenon where a security hole exists, but the people who need to know about that
potential exploit, the software developers, the security people and the admins aren't aware
of it. This is when the clock starts ticking thus zero-day. When a hacker, if they were
aware of the hole, could walk right in so to speak because there was a hole there and no
one knew about it.

Virus definitions, these are updated all the time because of things like zero-day exploits
where security companies recognize a new virus or a potential hole and release updates to
close the holes. Antivirus software definitions need to be updated regularly for this very
reason.

Software bloat, have you ever purchased a new computer or a phone and found all sorts
of software on it that you didn't ask for? It could be a free trial of antivirus software. It
could be a free trial of some sort of marketplace. I'm sure you've come across it because
it's everywhere. Software bloat is a phenomenon that can represent a real network
hardening problem. Because network admins don't want to deal with all sorts of software
they didn't ask for. They can bug down the system and most of us don't have the time to
assess each application to ensure that it doesn't pose a security risk. Software bloat is a
thing.

Poor password policy, this is a headache for everyone. People hate having difficult to
remember passwords, and they hate having to remember yet another password. But trust
me, there's a good reason for strong password policies. Long gone is the time when you
could enter five or six numbers for a password and expect the account to be safe from
things like brute force attacks which use share CPU power to repeatedly try passwords
until the correct password's been found.

And I'll end with the attack surface, and the sheer amount of new attack vectors. This
represents a big issue for security admins because where we used to have one device for
every employee, a desktop or a laptop computer. We now have two, three, four, devices
 6

for every employee with each one connecting to the organizational network. We're seeing
this kind of exponential growth in the number of possible attack points. And that makes
network hardening even more difficult, and more important in the here and now.

What is a Demilitarized Zone?

[Video description begins] Topic title: What is a Demilitarized Zone? Your host for this
session is Jamie Campbell. [Video description ends]

In this video, I'll discuss network demilitarized zones and how they can help protect
corporate information. You may have heard the term demilitarized zone or DMZ. And
when we talk about DMZs we're not talking about soldiers from opposing nations putting
a safe boundary between them, where no activity occurs. But that's where the term comes
from. So what is a network demilitarized zone?

Well in networking, a demilitarized zone is a logical space or gap between the entry point
to a network the firewall and the outside world and the network itself. The idea is to
provide a barrier between the outside world and an organization's sensitive information.

This is a basic graphic that helps explain what a DMZ is and how it works. On the left
half side we have the outside world, the Internet, including a phone to represent external
devices, even if they're physically present in the building. Then we have the cloud and the
laptop to represent remote users. Just to the right of that group there's the firewall, the
guardian of the network. You have to get through that in order to access a company's
network. On the far right we have the internal network, the LAN, with servers and
workstations that are physically plugged in to the network. Notice that there's a firewall
just to left of that as well and that space in the middle is the DMZ. They are the Wi-Fi
routers and servers.

In this example, one for email and one is for a web server. And here we have file folders
with arrows showing the flow of traffic in two directions. So this area in the middle
provides access for users and that could be company personnel working remotely. It
could be suppliers, could be customers. They have access to certain things. The
customers, for example, wouldn't be able to access that mail server, but maybe they can
access your website there in the DMZ.

But all the sensitive information, the important stuff to an organization is secured behind
that second firewall, the one on the right. There's no specific rule that states what you can
and cannot put in the DMZ. More often than not, it's common sense. It's just a matter of
deciding what and how much you want to put in the DMZ. Because while it's still secured
by a firewall, it is directly accessed by the outside world, that is the Internet. A DMZ is
also known as a perimeter network because it provides a sort of perimeter.

Generally speaking, DMZs can be physical or logical, meaning that you could cordon off
a DMZ to a separate physical location or have the perimeter set up on the same servers.
Essentially it's a barrier that makes it more difficult for attackers to gain access to
sensitive information. And it separates the untrusted, the Internet, from the trusted, the
internal network, the LAN.

Now here's another way of looking at DMZs. We have the Internet, which is and rightly
so untrusted, but it's also necessary to do business in the modern world. We need to be
able to access that Internet. We need to be able to give others access via the Internet. On
the other hand, you have your network which is a trusted place where all your important
 7

information is stored. Sometimes it needs to be accessed though from the outside,

employees who travel for example.

We need to be able to provide them access to what they require in order to do their jobs.
So the DMZ acts as a space in the middle that can satisfy that need without putting the
network on the right at risk from the network on the left. As I mentioned, it's up to
whomever designs the DMZ to determine what kind of access is provided.

[Video description begins] Let's look at the Demilitarized Zone Common Services. [Video

description ends]

Generally, you'd have website access, access to email. FTP, File Transfer Protocol is
usually a common service on a DMZ. Database access might be provided and services
like VoIP, Voice Over IP, could be placed on a DMZ.

Threats vs. Vulnerabilities vs. Risks

[Video description begins] Topic title: Threats versus Vulnerabilities versus Risks. Your
host for this session is Jamie Campbell. [Video description ends]

In this video, I'll describe the difference between threats, vulnerabilities, and risks in a
corporate environment. When we talk about network security, especially in
organizational environments like a company network, there are three terms we tend to use
to layout the problems so we can figure out how to tackle it. Those terms are threats,
vulnerabilities, and risks.

And there's a distinction between the three that every stakeholder needs to understand, if
we're to help them understand why it's so important to protect an organization's
information from outside risks. I find this diagram helps to pare down the terms. We
really have two elements to be concerned with, threats, vulnerabilities. Where they
intersect is where the third element, risk, lies. Understanding that relationship on an
organizational scale will help create a culture of risk prevention.

[Video description begins] A graphic displays. It shows a Venn diagram depicting the
relation between the threat and vulnerability. The point of intersection is denoted by
risk. [Video description ends]

So, threats are the potential sources of danger, the things that we network admins worry
about every day. Vulnerabilities, on the other hand, are the potential things that can be
exploited. The security holes that we need to identify and close. And the risk is the asset
that can be lost or compromised. If A, the threat, leverages B, the vulnerability, to get to
that asset.

Threats come in many forms, they can be intentional, so your proverbial hacker trying to
find a way into your network. They can also be unintentional, so, for example, an
employee that does something that causes harm. I'll use the example of failing to lock a
computer at the end of the day. They can come in the form of natural disasters,
earthquakes, hurricanes, thunderstorms, and so on.

And they could be the result of force majeure, things that occur either through some sort
of error or at random like power outages. Some examples of vulnerabilities include
security policies, which are great to have, but only as good as the policy itself. Security
 8

infrastructure could pose an opening for hackers if it's not been properly established. The
old example of a backdoor, for example, whether it's intentional or unintentional.

The backup policy, which is crucial for disaster planning. If you're not backing up your
data on a regular basis, there's a vulnerability there, because lost information costs.
Whether an organization has a disaster plan. Has every contingency been thought
through? You have to be ready for everything.

And then how to deal with ex employees, whether they left voluntarily or involuntarily.
How do you go through and scrub the footprint that they left behind? That could be
security codes, passes, email accounts, network access accounts and so on, and so on.
And all that takes us to risk, the result of threats times vulnerabilities.

[Video description begins] Risk Explained [Video description ends]

Risk requires thorough assessment and planning. Every company understands risk, or at
least it should, but how well an organization understands and deals with risk often comes
down to planning and teams. Ask yourself this, in the event of a disaster, intentional or
otherwise, does every person in your organization know how to react, or will they be
hobbled sitting and waiting for someone to tell them how to react?

That in no small part comes down to policy. If it hasn't been written down in a clear and
unambiguous manner, there may be a problem. On the coattails of that is the fact that
things change, particularly in the tech world. And a policy is not and should never be a
document that's signed off on and then placed in the cabinet to collect dust. It's a living,
breathing document that needs to be revised on an ongoing basis.

Top Security Threats

[Video description begins] Topic title: Top Security Threats. Your host for this session is
Jamie Campbell. [Video description ends]

In this video, I'll discuss the top kinds of security threats facing organizations today.
There are lots of threats to a company's information and we have plenty of real world
examples of that. But there are specific threats worth considering because these are
currently the top security threats to organizations, so let's take a look.

We start with Malware, a catch all term that upon closer examination means much more.
Social engineering is a term that refers to using people to gain access. Unpatched
software is an ongoing threat. And then there's BYOD, bring your own device and its
younger sibling IoT, the Internet of Things.

Generally speaking, these are the top four security threats to organizations today. As I
said, Malware is a catch all, a broad term that refers to software designed to do bad
things, in some cases to compromise systems and steal information.

But Malware is also used to cause mayhem and wreak damage. It's always at the top of
the list because Malware grows and gets more dangerous as hackers learn new tricks.
Social engineering is used by hackers to build relationships with people on the inside or
take advantage of a situation where people are involved. Sometimes it's employees who
unwittingly give up information. Sometimes it's methods that hackers use to take
advantage of a situation.
 9

And there's a methodology to it too, dumpster diving, where a hacker goes through an
organization's trash to find information that may help him gain access to a network. Or
shoulder surfing where someone looking over your shoulder might glean a password or
account name. Social engineering can get quite sophisticated perhaps taking months or
longer. Software that goes unpatched represents real threat.

Zero day exploits appear and the clock begins to tick. Someone identified a flaw in a
piece of software for example and while that flaw remains unpatched, it is a threat. Or in
the case of many organizations, they have a working system and don't want to mess with
it.

So say, staying with Windows 7, or a piece of software that's three generations old.
BYOD and IoT are relatively new. They've only been with us for 10 or 15 years really, if
you're speaking about bring your own device. They represent a risk because these devices
can connect wirelessly to an organization's network. And security for mobile devices isn't
always as secure as you need.

People bring their own devices, and companies let them connect because it's convenient.
Maybe it's cost effective, and it may make employees more efficient because they don't
have to be tethered to their desks to get work done. But these devices could pose a real
headache when they contain sketchy software or even worse, actual Malware.

And the Internet of Things is even newer with devices that didn't previously connect
having connectivity now. Televisions and other electronic devices, refrigerators even.
And while there is a convenience factor to these devices, what we're seeing is that the
thousands of vendors who manufacture them don't always or equally spend a lot of time
thinking about security. And that poses a threat to organizations that use them.

Types of Attacks

[Video description begins] Topic title: Types of Attacks. Your host for this session is
Jamie Campbell. [Video description ends]

In this video I'll discuss the common types of security attacks and how they pose a risk to
organizational information. Knowledge is power, that phrase has stood the test of time
and has serious implications in a world where information travels so freely. We IT
professionals always have to be aware of the next threat or kind of attack because by
understanding them, we can build defenses against them.

However, how much information do employees have about the attacks, that can cripple a
company or put it at great financial risk? People are generally aware of some of the
buzzwords like virus, but they don't intuitively understand how they're packaged and
delivered.

And that presents a risk for companies that don't properly train their personnel in the
things to look for. So let's dig into it. Virus, Trojan, and Worm, terms that most people
have heard. These three are the unholy triad of malware. Generally they are small
programs that can attach themselves to legitimate programs. Sometimes they're stand
alone processes that have been installed when a user clicks something they shouldn't
have. And some malware, like worms, are designed to spread themselves across a
computer network. Whatever their methodology their purpose is always for malicious
reasons. They could be used to spy quietly without the user being aware of them. They
can lock files and systems, encrypting them so a user can't gain access. They can cause
 10

mayhem, destroying files or entire file systems, and they can spread themselves
exponentially to widen the damage.

Another common kind of attack and I use the word attack loosely because these aren't
necessarily actively enacted, are clickjacking and URL spoofing. Clickjacking is a
method used to hijack clicks thus the name on websites. It takes advantage of
vulnerabilities on a webpage to trick users into clicking invisible links. URL spoofing
creates what appears to be a legitimate page from a legitimate company, except that
they're not legitimate. Someone has gone to great lengths to duplicate your bank's
website, for example, and then tricks you into going there. Or perhaps through a URL
that looks, but is not exactly the spelling of the bank's URL. Why do hackers use
Clickjacking and URL Spoofing? There are several possible reasons, they could want to
earn money off advertising. So in the case clickjacking, if you click on something that's
actually an ad, they're getting the money off of it, that's the best case scenario.

Often these methods are used to steal information or even infect the system. IP Spoofing
is another common kind of attack. In IP spoofing, an attacker hides their actual IP address
and tricks another system into thinking that the IP address is a trusted one. So why use IP
spoofing? Well, it can trick another system into accepting it as trusted. Internal network
IP addresses for example, have a certain numerical format, and firewalls are trained to
allow addresses using that format. If you can trick a system by saying, hey, I'm one of
you, I'm one of the team, then you can begin to cause mayhem.

Phishing and spear phishing are a common method of phishing for information about a
potential target. Thus the name, except with P-H at the beginning instead of an F.
Commonly, this is done through email, but it has been used in social engineering, and it's
spread to SMS and other kinds of messaging systems now that they're more prevalent.
And spear phishing is a more sophisticated and therefore dangerous form of phishing. It's
more targeted often using personal information about the recipient calling them by name,
sending them a message as if it was a known and trusted sender. Both kinds of phishing
are used to get information about a target. And that could range from someone pretending
to be from IT looking to confirm a password to obtaining information about account
information, and more. So they're very dangerous types of attacks.

Brute force attacks sounds scary because they can be. In a brute force attack a computer
throws processing power at a problem to attack it. In a brute force attack, a computer
keeps trying a password over and over again, guessing until the computer gets it right.
Now, this has become more of a problem because back in the day, computers simply
weren't fast enough to have the processing power to process all the conceivable
combinations. But computers have gotten exponentially more powerful, and that's why
you see greater emphasis on password complexity. The man in the middle attack is where
a hacker sits in between two parties, say for example, two people sharing an email
conversation.

[Video description begins] Why Man-in-the-Middle? [Video description ends]

The man in the middle attack could be used passively to gain sensitive information, say
about a client, a company, account information, you name it. Or can even be used
actively to modify the information being transmitted. So for example, the hacker receives
the email, modifies the information in it, and then sends it along to the intended recipient.

Keyloggers are small pieces of malware that capture keyboard input. Their purpose is of
course pretty obvious. Someone can intercept account information, passwords, and other
 11

sensitive information because every keystroke is silently captured and transferred.

Everyone knows spam, and no one loves it. But in my experience, most people don't
understand why much of the spam we get can be dangerous. Often it's nonsensical and
obvious in the scam it represents, but it can and does come in many forms. Through
emails, telephone, and messaging systems.

Spam can be dangerous in all kinds of ways. The obvious stuff, the prince looking to get
his money out of the country, I think most people are privy to. But spammers have gotten
more sophisticated often tricking people into clicking links, opening attachments and
things like that. But they can herald other things too. For example, bogging down servers
as the buildup to an attack happening elsewhere. Spam can be pretty insidious and
everyone in an organization needs to be spam literate.

[Video description begins] Spam can be very dangerous (with included links) or

deceptive (to draw focus away from something else) [Video description ends]

And then there's Denial-of-Service, DoS, and Distributed-Denial-of-Service, DDoS. In

this kind of attack, a system or systems keep accessing an IP address thousands of times a
second with the intent of choking the system. These attacks can be pretty damaging and
the most nefarious ones in history have cost the targeted companies a great deal of money
and downtime. Lost business and upgrading equipment to mitigate future such attacks.

[Video description begins] DDoS is particularly dangerous because it comes from

multiple sources, usually unknowing bot computers, with a primary focus of disabling a
site. [Video description ends]

But DDoS in particular is problematic because of the distributed part, the first D. In such
attacks the hacker uses unsuspecting computers. Users who clicked the wrong link or
open the wrong attachment installing bot software, something called a command and
control or CNC bot. When the hijacker has a sufficient amount of bots collectively
known as a botnet, they can instruct the systems to bombard their target.

Physical Security

[Video description begins] Topic title: Physical Security. Your host for this session is
Jamie Campbell. [Video description ends]

In this video, I'll discuss the role physical security plays in the protection of corporate
data. I think we all know practically speaking what physical security means, but there's a
bit of nuance when we talk about physical network security. It's all the tangible things
that protect a company's information, from locked doors to the servers, to nodes on a
network. That is all the PCs plugged into a network port on a network. To network hubs
throughout a building to the network ports themselves.

And the physical footprint is large, spanning a great deal of area. Particularly if you're
talking about a company that has physical locations in different geographical areas. It
includes buildings, rooms inside those buildings, and warehouses and other ancillary
locations. But it goes deeper. It includes any tangible thing that can be read or removed,
printed documents, calendars and rolodexes and printed reports. And yes, it could include
any computer, connected device, access point, either wired or wireless and servers.

So, why worry about it? We have locks, security guards, what's the big deal? Well, first,
locks can be broken if they're used at all. People tend to trust a visitor, especially if they
 12

don't know that someone wandering down the hallway is a visitor. One method of social
engineering is to enter a secure building close behind someone working there. They
swipe their security pass, and the hacker enters along with them. It has happened, the
hacker can now wander around the building looking for exploits. And as long as they're
acting like they belong there, it's rare that an employee would confront them. It's not
always the case that employees would confront them.

And here's the other thing. Locks are great when they're used. I like the adage that we
don't lock doors inside our houses. A few years ago, I heard a colleague discussing the
time they wandered into an empty office in their building. No one was occupying the
office and it was unlocked. But there on the floor was a wireless router plugged into an
Ethernet port, so plugged into the network. The problem was that the company had a
policy of securing the locations where wireless routers were located, keeping them in
locked cabinets.

My colleague unplugged the router and logged a security incident. Because it's quite
possible someone wandered into this empty office and plugged in to the company
network. And the other thing is passes and security badges. Does the company have a
policy to expire them? Passwords are usually set to expire, so too should these keys,
because these systems are all digital now, it's less of a problem. But perhaps it's a small
company with a rudimentary legacy system. If someone retires or gets fired, their access
should immediately be terminated but these cards should be treated as another attack
vector.

Social Engineering

[Video description begins] Topic title: Social Engineering. Your host for this session is
Jamie Campbell. [Video description ends]

In this video, I'll discuss how social engineering is conducted and how it can be mitigated
through corporate policy. Social engineering is the human side of hacking. Hackers
understand that people can often be tricked into giving up information in person that they
wouldn't give out online, even if that information is seemingly innocent. Knowledge is
power, and hackers use every bit of information to find ways into secured systems, so
they can access digital assets.

[Video description begins] Social engineering is the human side of hacking, targeting

individuals to either gain knowledge or confirm ways into an organization's information
and data [Video description ends]

In some very real ways, social engineering is as or in some case more dangerous than
online hacking. It's often overlooked as a topic for staff training. And because every
personality is different, different people are more susceptible to the often sophisticated
tactics used by would be attackers. There's some common social engineering techniques
used by hackers. By recognizing them, you can reduce the risk that you'll fall under the
spell of a social engineering campaign.

The first is dumpster diving, a term that refers to rummaging through an organization's
trash. It's not a new idea, and when companies don't properly dispose of potentially
sensitive information, it could very well end up in a dumpster and ultimately in the hands
of a hacker. Tailgating is the act of following an authorized person into a secure place, so
if you're smooth enough, you can pretend that you're an employee with the person in
front of you, using their credentials to enter a secure space.
 13

Phishing is the act of trying to get information from someone by pretending you're
someone else. It might seem like a bank or some other authority calling or emailing for
more information. Pretexting is similar to phishing but a bit different, because now the
hacker pretends to be a legitimate person that needs specific information. One common
tactic is to call an employee pretending to be from technical support.

People are surprisingly trusting if they think that they're speaking with a legitimate
person and this way hackers can gain valuable information. Also similar is quid pro quo,
where a hacker tries to find someone in an organization who has a real need. For
example, calling successive numbers pretending to be tech support.

[Video description begins] Why is social engineering dangerous? [Video description

ends]

Eventually, they'll come across someone who has an actual technical problem. By
establishing this connection, the hacker hopes that the person on the other line will be
more trusting and give up information. Now keep in mind that these are only a portion of
the various social engineering techniques used by hackers.

And this is all to say that social engineering is effective because people are more trusting
when it's out of context with what they are told to look for. Everyone knows they
shouldn't open an attachment or click a link from an untrusted source, or at least they
should.

But put the connection out of context with something as seemingly innocent as talking to
tech support on the phone, and they may open right up. Basically, a stranger isn't
necessarily a stranger when they are standing in your living room. And while that isn't
always the case, we tend to open up a bit more when we are in a familiar setting.

The Importance of the Corporate Security Policy

[Video description begins] Topic title: The Importance of the Corporate Security Policy.
Your host for this session is Jamie Campbell. [Video description ends]

In this video I'll discuss the importance of corporate security policies and why they
should be strictly adhered to Corporate security policies are a funny thing. More often
than not, they're well designed, but how many people in an organization actually read and
understand them? Why do we need them, some may ask. Isn't it just guidance for the
people in IT, the ones who are there to protect the company's information? Well, here's
some facts.

First, a security policy is not a nice-to-have, it's a must-have. The legal and financial
ramifications of some sort of major security event can have a lasting impact. And we
need to be proactive, not just anticipating the worst but understanding what the worst
looks like, should it happen. And having a policy means adhering to it, doing what it
says. The problem is often that people may not even read it.

New hires, for example, when they're onboarded, may get guidance on the policy. They're
asked to sign a document indicating that they read it. But that's not a substitution for
actually reading and understanding it. And it's difficult to keep everyone informed when
the policy evolves. And it may very well evolve, but that's a challenge that must be
overcome.
 14

And don't cut corners with your policy, it's there to protect you. And the minute someone
asks for a favor, hey, I know we're not supposed to have this software, but could you
install it for me anyway. Then they've missed the entire point of the need for a policy. So,
here are some hard and fast facts about a corporate security policy. Every employee must
read and sign it.

You can make it part of the onboarding process for new hires and maybe it's not enough
to tell them to read it, explain why they need to know this. And what they get doesn't
have to be in depth, not the nitty-gritty stuff, they don't need to know what goes on
behind the scenes in IT in the event of a catastrophic power failure. But they do need to
know how it affects them and what they can do to mitigate the risk. Certainly the need to
be aware of compliance issues.

Countries and geographic regions have adopted new legislation in the information age
and everyone was affected when the EU's GDPR regulations went into effect in May of
2018. In many cases, especially when we're dealing with private information, we are
legally bound to protect that information at our own peril. But that's an organization-wide
responsibility. It's not enough that your compliance officer understands the liability risks.
The people who handle the information have to be aware of it. And a security policy must
be monitored and audited on a frequent basis to ensure that it's doing its job.

Password Protection Policies

[Video description begins] Topic title: Password Protection Policies. Your host for this
session is Jamie Campbell. [Video description ends]

In this video, I'll discuss the importance of password policies and why they should be
adhered to. Passwords, the bane of our existence. There was a time not long ago when we
had one easy-to-remember password for everything. And no one batted an eyelash,
because we didn't face the same risks that we do today. So why do we need it? Why all
the crazy characters? Well, here's one reason or ten.

These are the ten worst passwords used by people in 2018. And even a novice hacker
wannabe could crack these without breaking a sweat. It's kind of reminiscent of
Hollywood where someone is trying to break into a computer, and after three tries they're
in because they used your birth date. And I'm serious here. Given the opportunity, most
of us would choose something like one of these because it makes life easier.

But here's why it's a big deal. Modern CPU speed has made brute force attacks even
scarier. There was a time 20 years ago, where if you chose eight characters of randomized
numbers, you were probably safe from the average attacker. That's no longer the case.
And look, social engineering, particularly phishing are a thing. We can't ignore the
sophistication of hackers, and making passwords easy to remember just elevates the risk.

And we struggle because we're no longer in a single password world. I shutter to admit
the number of different passwords I have. But, because of password complexity, they are
not easy to remember. It's a challenge, and that's why employee push back on complex
passwords. But the cost of a breach can be disastrous.

And then of course, there's what I call Sticky note syndrome. I cannot tell you the number
of times I've walked into someone's office and spied a yellow sticky note pinned to the
monitor. Not with just one password, but often multiple passwords. That's a huge no-no,
 15

and IT admins understand that. A password policy must incorporate strong language and
strong follow-through on the physical storage of passwords.

And you're not alone if you think this. Users don't necessarily care about security, it's IT's
job. It's my job to get work done, they want things uncomplicated. They want to be
unencumbered, and who can blame them? But that doesn't change the need for a strong
password policy without any loopholes. No exceptions, because every exception puts
your company at greater risk.

Why Never to Ask an Admin for Favors

[Video description begins] Topic title: Why Never to Ask an Admin for Favors. Your host
for this session is Jamie Campbell. [Video description ends]

In this video, I'll elaborate on the reasons why IT administrators need to protect an
organization by refusing to bend the rules. IT admins hear it all the time. You're making
my life more difficult.

[Video description begins] Why Shouldn't I Ask My Admin for a Favor? [Video

description ends]

It doesn't help that admins seem to be regarded as being on a power trip. They're the ones
in control. Honestly, it can be a thankless job at times but, it's the responsibility of the
admin to hold the keys to the kingdom and protect them at all costs

So have you heard anyone say this to an admin? Maybe you've even said it, I hate this
password, I already have ten others, I have to memorize and you've given me this garble
of characters and numbers. And why does it have to change every 90 days? Can't you
help a guy out? Look, no one likes to impose these kind of restrictions, at least not
without reason.

The fact is we have strong password policies in place to protect you, me, your colleagues,
the guys upstairs, the suppliers, the customers, everyone, the very company itself. And IT
has been given the awesome task of enforcing that policy and they will not relent because
they understand the seriousness of the risk. How about this one? I need this app to do my
job. It's really great. My friend over at company ABC gets to use it so why not me? Well,
ABC company probably needs to reassess its security policy because we have reasons for
disallowing errant software that we know nothing about. It creates a new wrinkle adds to
the attack surface, and beyond that, if an admin were to cut you a break and install the
software on your laptop, what's to stop everyone else from asking for the same favor?

See the problem? Why can't my phone access my network folder? Simply put, it's a bad
idea to give a mobile device like a phone or tablet that kind of access. There are too many
variables, specifically too many different mobile operating systems and kinds of devices
often with sketchy apps and poor or no security software.

Besides, mobile OSs don't really play well with traditional network protocols probably
because it's not really what they were designed for. Now, there are apps that can provide
that kind of access, but that in itself is a reason against the practice because you won't
find one from any of the big software providers.

And the capability to connect to a Windows or Linux network isn't built into these
devices. In the event that you need access to something, say a Word, Excel or a
 16

PowerPoint file, web applications that can be accessed through a browser are the best bet.
And IT normally has some sort of Cloud provision that adds a layer of security or
something living inside the DMZ that will suffice for accessing your files on the go.

[Video description begins] Facts about IT [Video description ends]

I'll leave you with this. IT is there to do a job, just like everyone else. They're
accountable, just like everyone else. But really what's important to know is, that they're to
protect you and others, not just the data or a nebulous concept like the integrity of the
network. They want to help, but they have policies and procedures designed that way
because they work. And they're bound by a code of ethics, no less important to them than
to another professional, a lawyer, a doctor, anyone like that.

Anyone entrusted with the information that could be damaging were it to become public.
And on a very real note, an administrator could be fired for bending the rules. In some
instances they may even be subject to legal or fiduciary penalties for breaking the rules.
So it helps to remember that they're there for you, and they're there for the company. And
you're better off for having them there to protect and enforce the rules.

Exercise: Describe Security Threats

[Video description begins] Topic title: Exercise - Describe Security Threats. Your host
for this session is Jamie Campbell. [Video description ends]

Now that you've learned about security threats it's time to put some of that knowledge to
work.

In this exercise you'll describe security threats. You'll explain what an attack surface is.
Explain what a demilitarized zone is. Explain threats, vulnerabilities, and risks. Explain
four top security threats. And explain what social engineering is. At this point you can
pause this video and answer these questions. When you're done, resume the video to see
how I would answer them. Okay, let's answer these questions. It's okay if you didn't
answer them exactly the same way.

First, explain what an attack surface is. Well, an attack surface is all the nodes, users,
devices, and entry points representing potential vulnerabilities of a software, network, or
business environment.

Next, explain what a demilitarized zone is. A demilitarized zone is a logical, sometimes
physically partitioned space between the entry point to a network, the firewall, and the
interior of a network or LAN. Its purpose is to provide a barrier between the outside
world and an organization's sensitive information.

Next, explain threats, vulnerabilities, and risks. Well, threats are potential sources of
danger. Vulnerabilities are potential sources of exploit. And risks are the elements or
assets that can be lost if threats meet vulnerabilities.

Next, explain four top security threats. Generally, the four top security threats to
organizations are malware, social engineering, unpatched software, and bring your own
device and the Internet of things.
 17

Finally, explain what social engineering is. Social engineering can be characterized as the
human side of hacking. Where hackers target individuals to either gain knowledge or find
ways to access an organization's information and data.

I hope you found this exercise helpful.