2015 Cyber Security Awareness Month

FS-ISAC is proud to support StaySafeOnline.org’s National Cyber Security Awareness Month this October.

In support of the effort, FS-ISAC has developed a list of daily cybersecurity tips which follow the weekly themes established by StaySafeOnline.org and the National Cyber Security Alliance:

  • General Cybersecurity Awareness
  • Creating a Culture of Cybersecurity at Work
  • Staying Protected While Always Connected
  • Your Evolving Digital Life
  • Building the Next Generation of Cyber Professionals

FS-ISAC will be posting one tip each working day throughout the month. Be sure to check back here, or follow us on twitter @fsisacus, for all National Cyber Security Awareness Month content.

List of Tips:

 

Week 1 (Oct 1–2) General Cybersecurity Awareness

Theme: Week one focuses on cybersecurity as a shared responsibility, and provides simple online tips to empower all Americans to be safer online.

Tip 1: Security is everyone’s responsibility.

Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the “human firewall.”

Tip 2:  Avoiding scams. 

Be suspicious of unsolicited phone calls, visits, or email messages and do not provide personal information or information about your organization.  If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.

Week 2 (Oct 5–9): Creating a Culture of Cybersecurity at Work

Theme: Highlights the common threats businesses and employees are exposed to and provides resources for business and employees to stay safer online and enhance their existing security plans.

Tip 3: Protecting yourself from phishing.

Protecting yourself involves knowledge and technology.  Never open emails from unknown senders.  Carefully read the email, be mindful of grammatical errors and misspelled words.  Don’t click on the links in the email.  Verify the legitimacy of emails by using your browser to go directly to the company web site. Make sure your software technology is updated regularly. If you think you've received a phishing scam, delete the email message. Do not click any links in the message.

Tip 4: Protecting yourself from Ransomware.

Ransomware roams through the internet. Secure your data by backing up your information on an external or cloud drive.

Invest in security tools.  Have security software installed and, most importantly, up to date with a current subscription. Remember with the thousands of new malware variants running every day, having a set of old virus definitions is almost as bad has having no protection.

Make sure all the software on your system is up to date. This includes the operating system, the browser and all of the plug-ins that a modern browser typically uses. One of the most common infection vectors is a malicious exploit that leverages a software vulnerability. Keeping software up to date helps minimize the likelihood that your system has an exposed vulnerability on it.

Back up data and scan systems regularly. While ransomware can slip past defenses, it's important to back-up your information so that you can retrieve it in a worst case scenario.  Scan networks, systems and devices for malware frequently to stop data breaches as soon as they start.

Tip 5: Business Email Compromise (BEC)

BEC is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. Legitimate business e-mail accounts are compromised through social engineering or computer intrusion techniques. The fraudster then conducts unauthorized transfers of funds.  Here are tips that companies can take:

Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, legitimate e-mail of abc_company.com would flag fraudulent e-mail of abc-company.com.

  • Register all company domains that are slightly different than the actual company domain.
  • Verify changes in vendor payment location by adding additional two-factor authentication, such as having a secondary sign-off by company personnel.
  • Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
  • Know the habits of your customers, including the details of, reasons behind, and amount of payments.
  • Carefully scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.

Tip 6: Destructive Malware.

Destructive Malware presents a threat to an organization’s daily operations and business continuity. It impacts confidentiality, integrity and availability of data. It can threaten an organization’s ability to recover from an attack.  Follow five tips to combat destructive malware cyberattacks:

  • Back up data and scan systems regularly. While malware can slip past defenses, it's important to back-up your information so that you can retrieve it in a worst case scenario.  Scan networks, systems and devices for malware frequently to stop data breaches as soon as they start.
  • Don't open suspicious emails. Malware is easily downloaded through malicious links in emails.
  • Protect credentials with strong passwords. Passwords are the first line of defense for companies. Require employees to create strong passwords that are a combination of lower and uppercase letters, numbers and special characters to prevent hackers from simply guessing the correct one.
  • Ensure third-party providers are protected. One of the ways companies are most vulnerable to cyberattacks is through an insecure third-party service provider. Cybercriminals can steal credentials from these third parties to gain access to the company and information they are targeting.
  • Update software and patches. Software and tech companies often issue software updates and patches to fix security flaws that cybercriminals can exploit.

Tip 7: Third Party Breaches.

Reduce third party risks by leveraging your contract and regulatory requirements.  Key areas of concern include:

  • Managing your vendors.  Perform regular due diligence of your third party service providers (TSP) as well as their outsourced vendors.
  • Verifying their controls.  Validate that the controls being used by the TSP are in line with your written contract meeting your requirements.
  • Business resumption and contingency planning.  Certify that the service provider is adhering to the agreed upon contingency plan that outlines the required operating procedures in the event of business disruption.
  • Right to audit.  Enforce the right of the institution and its regulatory agencies to obtain the results of the audits in a timely manner.  Vendor managers should closely monitor the financial, technical and competitiveness of their vendors.

Week 3 (Oct 12–16)    Connected Communities: Staying Protected While Always Connected

Theme: Emphasizes the importance of protecting ourselves when connecting to the Internet while on the go. Week two provides best practices for using mobile devices and social media, and encourages us all to become better digital citizens in our communities.

Tip 8:  Limit the amount of personal information you post.

Do not post information that would make you vulnerable, such as your address or information about your schedule or routine. If your friend posts information about you, make sure the information is something that you are comfortable sharing with strangers.

Tip 9: Take advantage of privacy and security settings.

Use site settings to limit the information you share with the general public online.

Tip 10: Only access the Internet over a secure network. Maintain the same vigilance you would on your computer with your mobile device.

Tip 11: Be suspicious of unknown links or requests sent through email or text message. Do not click on unknown links or answer strange questions sent to your mobile device, regardless of who the sender appears to be.

Tip 12: Downloading Apps.  Download apps and data only from trusted applications from reputable sources or marketplaces.

Week 4 (Oct 19-23)    Your Evolving Digital Life

Theme: Highlights the “smart world” we live in and the importance of educating all citizens on cybersecurity as more and more of the devices we use – from phones and tablets to homes and medical devices – become connected to the Internet. Week four provides a current snapshot of technology and where we envision technology taking us in the future.

Tip 13: Being smart about using your devices.  Don't use your mobile device to store important and sensitive personal information, bank account numbers or other information that personally identifies you.

Tip 14: Lock your smart devices.  Use the screen lock feature on your mobile device. Many mobile phones now provide security options to customize your devices so that your information remains secure.

Tip 15: Personal Identification Number (PIN).  When selecting a PIN for your debit card or smart device, never use important numbers associated with anniversaries, birth dates, social security numbers and the like.  Select something easy to remember but not commonly known.

Tip 16: Protect your personal computer.  Keep operational and security software up-to-date.  Combined, these patches close vulnerabilities on your computer and protect you from cyber-criminals.

Tip 17: Practice good cyber-hygiene.  Remember to select unique and strong passwords for all online accounts.  Make sure your password is 8 or more characters in length and combine alphabetical, numerical and special characters.

Week 5 (Oct 26-30)    Building the Next Generation of Cyber Professionals

Theme: Week five looks to the future of the cybersecurity workforce, focusing on cybersecurity education and awareness at all levels, and emphasizing the need for properly trained cybersecurity professionals.

Tip 18: Organizing operational security awareness.  Your institution’s security awareness program should be conducted as a growing and ongoing process to ensure that training and knowledge is not just delivered as an annual activity, rather it is used to maintain a high level of security awareness on a daily basis.  Ensure your security "experts" are well known in your organization. Have them send out security alerts and training exercises. Make the training clear, crucial and compelling.

Tip 19: Communicate your expectations on the first day of employment.  Clearly state the mission of your cybersecurity program, the risks institutions are exposed to, how employees are part of the solution and where employees can report suspicious activity.  Lead by example.  Enforce your cybersecurity policies when violations are made.

Tip 20: Expand your security perimeter.  By educating your customers and employees, you expand your security perimeter.  What are some ways to increase education?

  • Tip of the day.  Post a tip of the day that provides a daily security message.
  • Risk Questionnaire.  During Treasury management visits with commercial customers, go over a brief questionnaire that reveals if they are at risk of financial loss due to cyber threats.
  • Commercial Service Security Newsletter.  Educate your commercial customers to specific cyber-threats that face small businesses today.  Your proactive measure just may save your customer from a devastating cyber-event and earn you a loyal customer for life.
  • Interactive Training.  Many firms share interactive security quizzes with their customers on their website; it’s fun and educational.

Tip 21: Do not give out information about fellow employees, remote network access, organizational practices, or strategies to people you do not know.  Avoid being the victim of a social engineer.  If a person you don’t know calls, sends an email or text, or visits you in person and asks for confidential information about your organization, do not supply any data until the person’s identity has been verified.

Tip 22: Use your computer with the assumption that everyone can see what you’re doing. You might be audited for acceptable use of equipment.  Most of us are familiar with the idea that cookies help identify us to advertisers and website owners when we visit websites. However, your computer type, model, operating system, and even what version of Web browser you are using are also known to every site that you visit. This combined data results in another method to identify you and the types of information you access. Only visit websites for which you have a legitimate need when doing work for your organization.