Town of Bedford, MA

Security Awareness Training - March 1 st , 2016

Aileen Benson | Senior Security Analyst | abenson@CompassITC.com

Agenda

 Information Security Explained

 Privacy Regulations
 The Need for Information Security
 Public vs. non-public information
 Hardcopy information
 Electronic information
 Social engineering
 Your Security Role
Information Security
Defined
Information security involves the preservation
of:
• Confidentiality: Ensuring information is
disclosed to, and reviewed exclusively by
intended recipients / authorized individuals
• Integrity: Ensuring the accuracy and
completeness of information and processing
methods
• Availability: Ensuring that information and
associated assets are accessible, whenever
necessary, by authorized individuals
 Information Security Explained
Global in a World Made Flat by the Internet

Business
Geographic Political

Malicious Actions
Unintended Events Mismanagement
(Internal & External)

Human Errors Security Compromise Planning

Accidents IT Fraud / Social Engineering Control
Natural Disasters Hackers / Virus Attacks Compliance
N
Physical Vandalism Monitoring
W E
Remediation
S
 Malicious Risks
Who Would do That?

Internal
and
External Internal
External
Team

Hackers - Viruses
(International)
 X 
Social Engineering
(Confidence Man/Woman)
  
Employees
N

 
With access to funds
andW confidential
E X
information
S
Privacy Regulations

Regulations Defined:
Rules and administrative codes issued by governmental
agencies at all levels, municipal, county, state and federal.
Although they are not laws, regulations have the force of law,
since they are adopted under authority granted by statutes, and
often include penalties for violations.
http://dictionary.law.com
Privacy Regulations

 201 CMR 17 (Massachusetts state privacy law) was enacted

to protect the confidential personal information of consumers
and employees. The laws require that an individual or a
commercial entity that conducts business in a state and that
owns or licenses computerized data that includes personal
information about a resident of a state becomes aware of a
breach of the security of their computer system, the business
or entity should conduct a prompt investigation to determine
if personal information has been compromised.
 The Regulations also applies to hardcopy records.
 Require notification to individual(s) affected as well as state
regulators in the event personal information has been
compromised.
Personal Information
A Resident's :
First Name and Last Name
Or
First Initial and last Name

In combination with any one or more of the following data elements that
relate to such resident:
a) Social Security number
b) Driver's license number or state-issued identification card number
c) Financial account number, or credit or debit card number, with or without
any required security code, access code, personal identification number or
password, that would permit access to a resident’s financial account;
provided, however, that “Personal information” shall not include information
that is lawfully obtained from publicly available information, or from federal,
state or local government records lawfully made available to the general
public.
The Need for
Information Security

 The consequences of insufficient security

– Identity Theft
– Equipment Theft
– Compromised Customer Confidence - Loss of Business
– Compromised Employee Confidence - Retention of Staff
– Service Interruption (e.g. e-mail and application)
– Loss of Competitive Advantage
– Loss of Reputation (e.g. embarrassing media coverage)
– Legal Penalties – fines and other legal action
Public vs. non-public information

 Public information:
– Already a matter of public record or
knowledge
– Freely distributed and accessible by anyone
 Non-public information:
– Personal information (often called PII –
personally identifiable information)
– Identity information, financial records,
healthcare records, etc.
– Internal plans and other operating information
that should not be made public
How to protect non-public
information – HARDCOPY
 HARDCOPY
– Secure storage when not in active use:
• Locked drawers/cabinets, vault, etc.
– “Clean desk” policy:
• Multiple individuals have physical access during and after
business hours
• During: public, visitors, staff, other city employees
• After: cleaning staff, building management, etc.
– Irrevocably destroy when no longer needed (following
records retention schedule)
• Locked shred bins, cross-cut shredders, adherence to archival
schedules & protocols
• Straight (or line) shreds can be easily reconstructed via
software
– Escort visitors for duration of visit, especially to
sensitive/non-public areas
 Line shredding reconstruction
examples
Example of classified US gov’t line shredded
document reconstructed by Iranian government
(manually)

Example of line shredded document

reconstructed in seconds by commercial
software – UNSHREDDER $90 / year
How to protect non-public
information – ELECTRONIC
 ELECTRONIC
– Store in secure locations
• Desktops and laptops are inherently less secure than servers and
file shares
– Send via secure method
• Email is generally not considered secure!
• Unencrypted: creates electronic copies on outbound email server
(sender) and inbound email server (recipient)
• Instant messages, even to coworker at the next desk, typically
traverse external networks (the public internet) to reach recipient
– Safeguard and do not share/disclose passwords
• Sticky notes under keyboards, in/around desk are easy to find
• IT (or your manager’s manager) will NEVER contact you for your
password
– Irrevocably destroy when no longer needed
• Temporarily saving a file (to your desktop) then deleting it = NOT
temporary. Electronic remnants can most likely can be easily
accessed.
How to protect non-public
information – VIRUSES
 Malicious software: viruses
– Malicious code embedded in e-mail messages or websites that are capable
of inflicting a great deal of damage and causing extensive frustration
• Stealing files containing personal information
• Sending emails from your account
• Rendering your computer unusable
• Removing files from your computer
 What you can do
– Do not open attachments to e-mails:
• Received from unknown individuals
• That in any way appear suspicious
– If uncertain, contact IT or a supervisor
– Report all suspicious e-mails to IT or a supervisor
How to protect non-public
information – MALWARE
 Malicious software: spyware
– Any technology that aids in gathering information
about you or the town without their knowledge
and consent.
• Programming that is put in a computer to secretly gather
information about the user and relay it to advertisers or
other interested parties.
• Cookies are used to store information about you on your own computer.
o If a Web site stores information about you in a cookie of which you are unaware,
the cookie is considered a form of spyware.
• Spyware exposure can be caused by a software virus or as a result of
installing a new program.
 What you can do
– Do not click on options in deceptive / suspicious pop-up windows.
– Do not install any software without receiving prior approval
– If you experience slowness / poor computer performance or excessive
occurrences of pop-up windows, contact IT.
How to protect non-public information
– SOCIAL ENGINEERING

 SOCIAL ENGINEERING = Taking advantage of natural instinct to be

helpful for malicious purposes
 PHONE PHISHING
– If a received phone call is suspicious, request to return their call
• Do not provide personal / confidential information to a caller until
you are able to verify the caller’s identity, and their association with
their employer’s company or state/town/etc.
– Never provide a caller with anyone’s password, including your own
 EMAIL PHISHING
– Gaining unauthorized access to information via email solicitation
– Be suspicious: unknown return address, spelling/grammar/punctuation
errors, solicitation of non-public/personal information, “urgency”, too-
good-to-be-true offer, etc.
– Jan 2016 Town of Bedford social engineering exercise:
• 197 total recipients
• 29 clicked link (14.7%)
• 18 filled out the form (9.1%)
Your Security Role

 You Can Prevent an Information Security Incident By:

 Treating all of the Information you handle as if it
were your own personal Information.
• Examples of questions you should ask yourself before
performing a specific activity include:
o Could the actions I am about to perform in any way either harm
myself or the the town?
o Is the information I am currently handling of vital importance either
to myself or the town?
o Is the information protected by regulations or laws?
o Is the information I am about to review legitimate / authentic?
o Have I contacted appropriate town personnel with questions
regarding my uncertainty of how to handle this sensitive situation?
Questions ?

Erin Benson
Compass IT Compliance, LLC
ebenson@compassitc.com