Embed Size (px)
Citation preview
Security EssentialsProtecting yourself and your business while working from home
Next Jump
Community Online Academy
April 9, 2020
Next Jump (NxJ) Security Essentials April 9, 2020 1 / 25
Agenda and Intent
Intent: Share some actionable tips to operate more safely andsecurely online while working from home.
IntroductionWhy this matters?Five tips and helpful resourcesQuestions and answers
If you have questions during the presentation, feel free to send amessage in the chat. I’ll try to keep an eye out. If I miss it, therewill be time at the end.
Next Jump (NxJ) Security Essentials April 9, 2020 2 / 25
Who am I?
Next Jump CTOOriginally from update NewYorkStudied Computer Scienceat MITNext Jumper since 2008
In my role as CTO, I work a lot onprivacy, compliance, and security at anenterprise level. I’ve personally beeninterested in security since I was a kid.
Next Jump (NxJ) Security Essentials April 9, 2020 3 / 25
Why this matters?
Your data is an asset. It’s just like your money, property, andbelongings. Hackers and fraudsters on continually trying to stealthese assets.
"We believe that data is the phenomenon of our time. Itis the world’s new natural resource. It is the new basis ofcompetitive advantage, and it is transforming every pro-fession and industry. If all of this is true - even inevitable- then cyber crime, by definition, is the greatest threatto every profession, every industry, every company in theworld."1
Ginni Rometty - IBM CEO
1https://www.ibm.com/blogs/nordic-msp/ibms-ceo-on-hackers-cyber-crime-is-the-greatest-threat-to-every-company-in-the-world/
Next Jump (NxJ) Security Essentials April 9, 2020 4 / 25
The threat is continually growing and evolving2
APT groups are using the COVID-19 pan-demic as part of their cyber operations.These cyber threat actors will often mas-querade as trusted entities. Their activityincludes using coronavirus-themed phishingmessages or malicious applications, oftenmasquerading as trusted entities that mayhave been previously compromised. Theirgoals and targets are consistent with long-standing priorities such as espionage and"hack-and-leak" operations.
SMS PhishingEmail PhishingMalwareDomainRemote workexploitation
2https://www.us-cert.gov/ncas/alerts/aa20-099a
Next Jump (NxJ) Security Essentials April 9, 2020 5 / 25
Example Covid2
Next Jump (NxJ) Security Essentials April 9, 2020 6 / 25
Why this matters to a business?3
3https://pdf.ic3.gov/2019_IC3Report.pdf
Next Jump (NxJ) Security Essentials April 9, 2020 7 / 25
Why this matters to a business?4
4https://pdf.ic3.gov/2019_IC3Report.pdf
Next Jump (NxJ) Security Essentials April 9, 2020 8 / 25
Why this matters to you?
Next Jump (NxJ) Security Essentials April 9, 2020 9 / 25
Reality Check
Hackers are actively trading software meant to trick you orsteal your data.Massive databases with breached user names as passwordsare easily available online.Right now, hackers are actively trying to get into YOURbank account, email, social media.
Next Jump (NxJ) Security Essentials April 9, 2020 10 / 25
How to Defend Yourself
BLUF: The tips are familiar, but they’re more important thanever.
1 Don’t reuse passwords2 Use a password manager3 Enable multi-factor authentication4 Use caution when opening email attachments5 Check the URL
Next Jump (NxJ) Security Essentials April 9, 2020 11 / 25
#1 Do Not Reuse Passwords
Hackers find ways to get yourpassword in various ways:phishing, malware, breaking intoweb sites, etc. If you reusepasswords, when the get into oneof your accounts, they now haveaccess to all of your accounts.
jellybeanJellybean!JellyBean123!
How to Get StartedMake sure that you’re not reusingpasswords or using passwordvariations on your:
Email Accounts (work andpersonal)
Bank Accounts
Cloud Storage
Apple / Google
Sites with saved payment
Next Jump (NxJ) Security Essentials April 9, 2020 12 / 25
#2 Use a Password Manager
Next Jump (NxJ) Security Essentials April 9, 2020 13 / 25
#2 Use a Password Manager
Password managers offer greater security and conveniencefor the use of passwords to access online services. Greatersecurity is achieved principally through the capability ofmost password manager applications to generate unique,long, complex, easily changed passwords for all online ac-counts and the secure encrypted storage of those passwordseither through a local or cloud-based vault.5
The most common and easy to use password managers are:1PasswordLastpassDashlane
Pro Tip 1Password has removed trial limits.
5https://pages.nist.gov/800-63-FAQ/
Next Jump (NxJ) Security Essentials April 9, 2020 14 / 25
#3 Enable Multifactor Authentication
Next Jump (NxJ) Security Essentials April 9, 2020 15 / 25
#3 Enable Multifactor Authentication
Why you need to setup twofactor authentication?
When a hacker gets yourpassword, two-factorauthentication keeps youraccount safe.Attackers won’t be able tologin unless they also haveaccess to your phone.
How to Get StartedMake sure that you’re not reusingpasswords or using passwordvariations on your:
Email Accounts (work andpersonal)
Bank Accounts
Cloud Storage
Apple / Google
Sites with saved payment
Next Jump (NxJ) Security Essentials April 9, 2020 16 / 25
#4 Use Caution Opening Email Attachments6
6Phishing IQNext Jump (NxJ) Security Essentials April 9, 2020 17 / 25
#4 Use Caution Opening Email Attachments
Don’t open attachments from people you don’t knowDon’t assume certain types of files are safeBe careful opening unexpected attachments from anyone(their account may have been hacked).
Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows AdobeType Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1PostScript format.There are multiple ways an attacker could exploit the vulnerability, such as convincing a userto open a specially crafted document or viewing it in the Windows Preview pane.7
7https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006
Next Jump (NxJ) Security Essentials April 9, 2020 18 / 25
#5 Check the URL
Next Jump (NxJ) Security Essentials April 9, 2020 19 / 25
#5 Check the URL
Next Jump (NxJ) Security Essentials April 9, 2020 20 / 25
#5 Check the URL
When in doubt type the url in yourselfYou can use this same logic for most social engineeringattacks
You can also ask your IT team or check with 1 other personLook for the secure lock
Don’t login to your bank or email service if you see that thesite is "insecure"
Search for the site in GoogleGoogle will generally be good about removing phishing andmalware from its search results
Password mangers can help you avoid being phished
Next Jump (NxJ) Security Essentials April 9, 2020 21 / 25
PhishingKeep in mind. . . It’s very easy to create a phishing page:
Next Jump (NxJ) Security Essentials April 9, 2020 22 / 25
Honorable mentions
Keep your software up to dateSoftware updates add features, but often contains thousandsof security patches.Ignoring those iPhone and Windows updates puts you at risk
Secure your Wifi / Avoid public WifiMost new routers are secure by defaultChange default passwords
Understand data classificationUse Antivirus / Firewall
A last line of defenseUse only vetted / approved software
Don’t take chances on random programs and apps
Next Jump (NxJ) Security Essentials April 9, 2020 23 / 25
Tools and Resources
Links:Have I been PwnedPhishing IQEverything you need toknow about passwordmanagersDetailed video of someonesetting up LastPassHow to tell if a site is legit
Infographic
Next Jump (NxJ) Security Essentials April 9, 2020 24 / 25
Questions
Thanks for coming!Please leave me feedback in the app
Next Jump (NxJ) Security Essentials April 9, 2020 25 / 25
