Information Security Awareness Programme Information Security Governance AIA

  • Slides: 39
Download presentation
Information Security Awareness Programme Information Security & Governance AIA Singapore Version 1. 0 Nov

Information Security Awareness Programme Information Security & Governance AIA Singapore Version 1. 0 Nov 2018 AIA confidential and proprietary information. Not for distribution.

Information Security Awareness 1. Phishing and Social Engineering 2. Human Firewall 3. Staying Secure

Information Security Awareness 1. Phishing and Social Engineering 2. Human Firewall 3. Staying Secure Online 4. Secure Passwords 5. Information on the Internet 6. Working Remotely 7. Data Protection & Destruction 8. Escalation of Cybersecurity Incidents 1 AIA confidential and proprietary information. Not for distribution.

01 Phishing and Social Engineering AIA confidential and proprietary information. Not for distribution.

01 Phishing and Social Engineering AIA confidential and proprietary information. Not for distribution.

Phishing and Social Engineering • Phishing is one of the most common forms of

Phishing and Social Engineering • Phishing is one of the most common forms of social engineering attack that targets on humans. • ‘Social engineering’ refers to the psychological manipulation of human behavior o Human Emotions like curiosity, fear, and greed are exploited by hackers to achieve their goals 3 AIA confidential and proprietary information. Not for distribution.

Phishing and Social Engineering • Hackers use phishing to take control of your information,

Phishing and Social Engineering • Hackers use phishing to take control of your information, steal personal identity, or gain access to the company’s networks, systems, applications and data. • Attackers may launch phishing via email, SMS, Instant Messaging, etc. . • Some phishing attempts are easy to spot whilst others – like email messages that claim to be from your bank or someone you know – are much harder to detect. • Mainly, phishing emails will try to get you to: o Click on a link to a malicious website o Open a malicious attachment that contains malware o Provide sensitive information, like account password 4 AIA confidential and proprietary information. Not for distribution.

Phishing and Social Engineering Sing. Health Data Breach Incident (Jul 2018) q Phishing was

Phishing and Social Engineering Sing. Health Data Breach Incident (Jul 2018) q Phishing was reportedly used as a tool to gain access to a front-end workstation at SGH, which provided the entry point to the entire healthcare network q Staff using that workstation downloaded file from the phishing email, introducing malware to the workstation q Malware that came with phishing email was customised and tailored to target Sing. Heath’s IT systems • - “Measures to boost staff awareness of cybersecurity”, Straits Times Online, 6 Nov 2018 AIA confidential and proprietary information. Not for distribution. 5

Phishing and Social Engineering 1. Thomas receives phishing email • AJA INSURER STAFF REWARDS

Phishing and Social Engineering 1. Thomas receives phishing email • AJA INSURER STAFF REWARDS Thomas Tan Operations Executive, AJA Insurer Pte Ltd. 2. Thomas clicks the URL 3. Thomas fills in form with his AJA user and password credentials 4. Thomas downloads the attachment AIA confidential and proprietary information. Not for distribution. 6

Phishing and Social Engineering 8. Threat actor downloads staff, agents and customer data from

Phishing and Social Engineering 8. Threat actor downloads staff, agents and customer data from AJA’s servers AJA Insurer’s 5. Attachment triggers installation of malware in Thomas’ workstation, giving threat actor remote access into the workstation Thomas’ workstation v Policy admin system v Agents database v CRM system v HR Management system 7. Threat actor gains access into AJA’s core application servers! 6. Threat actor accesses workstation and takes full control of it 7 AIA confidential and proprietary information. Not for distribution.

Phishing and Social Engineering A J • A 8 AIA confidential and proprietary information.

Phishing and Social Engineering A J • A 8 AIA confidential and proprietary information. Not for distribution.

Phishing and Social Engineering • Tell-tale Signs of Suspicious Email • Email claims to

Phishing and Social Engineering • Tell-tale Signs of Suspicious Email • Email claims to be from AIA but is from a suspicious “look-alike” domain • “Free gift” if in-doubt user can check with helpdesk • The email purported to have been issued by HR, yet there wasn’t any HR signature or sign off AIA confidential and proprietary information. Not for distribution. • Grammatical error • Hover the link shows http: //aiavit. com/aif 2 ed 6 e 253/2 fd 580 d 3 c 35 b 1 c 33 e 2 cb 61 5 f/index. php? id=d 834 a 17 ef 09 b 9 ca, it is non. AIA domain

Phishing and Social Engineering • Tell-tale Signs of Suspicious SMS AIA confidential and proprietary

Phishing and Social Engineering • Tell-tale Signs of Suspicious SMS AIA confidential and proprietary information. Not for distribution.

Phishing and Social Engineering • Phishing Prevention o Be suspicious of unexpected emails and

Phishing and Social Engineering • Phishing Prevention o Be suspicious of unexpected emails and messages o Be suspicious of emails and messages from unknown senders o Be suspicious of any links o Never open unexpected attachments o Only send and reply to relevant parties o If in doubt, verify with the sender to ensure the email or message is legitimate 11 AIA confidential and proprietary information. Not for distribution.

02 Human Firewall AIA confidential and proprietary information. Not for distribution.

02 Human Firewall AIA confidential and proprietary information. Not for distribution.

Human Firewall • Hackers often need to trick individuals into divulging important information. •

Human Firewall • Hackers often need to trick individuals into divulging important information. • Humans are the weakest link in the chain of security, and hence number one target of attackers. 13 AIA confidential and proprietary information. Not for distribution.

Human Firewall • Examples of attacks: o E. g. Sending you a fake email

Human Firewall • Examples of attacks: o E. g. Sending you a fake email with a bad link/attachment inside it to compromise the network access is easier for attackers than trying to hack into corporate network from outside through other means. o E. g. Attacker targets an individual on social media or other web sites, by using the shared information to customize their email attacks to seem more real. 14 AIA confidential and proprietary information. Not for distribution.

Human Firewall • Prevention: o Associate yourselves as part of the defense of your

Human Firewall • Prevention: o Associate yourselves as part of the defense of your organization’s information technology systems, and ultimately of the defense of AIA’s information o Take a moment to think through any and all social interactions: • Is the question that person on the phone asking you appropriate/a normal thing to ask? • Is the email that you just received from a coworker official/does something seem “off” about it? • Is your computer slower than normal? • Do you know the real identity of those you relate to on social media and Internet websites? • Are you aware and conscious of the information you share on social media and Internet websites? 15 AIA confidential and proprietary information. Not for distribution.

03 Staying Secure Online AIA confidential and proprietary information. Not for distribution.

03 Staying Secure Online AIA confidential and proprietary information. Not for distribution.

Staying Secure Online • Nowadays, virtually everyone and everything is online. • As we

Staying Secure Online • Nowadays, virtually everyone and everything is online. • As we all become more connected, online attacks are a constant threat. o E. g. Malware can be infected by opening an attachment in email, or by visiting a website that automatically downloads malicious software onto your computer 17 AIA confidential and proprietary information. Not for distribution.

Staying Secure Online • Have an awareness, and follow these easy steps to stay

Staying Secure Online • Have an awareness, and follow these easy steps to stay safe online o Use different passwords for different sites § Use a trusted password manager to help create strong passwords and keep track of credentials for different sites o Keep browser and plugins updated § Once in a while, you may see web browser update notifications o Use secure browser settings § Find the security settings of the browser you use and set security level between Medium and High o Learn to recognize normal browser behavior § Abnormal browser behaviors includes: Ø Running slower than usual Ø Takes you to sites you did not request or do not recognize 18 AIA confidential and proprietary information. Not for distribution.

Staying Secure Online o Learn about error messages § Hits that something is wrong

Staying Secure Online o Learn about error messages § Hits that something is wrong with your browser or the site you are visiting Ø Trust warnings, script errors, and certificate errors o Always log out § Click logout button every time you are done using online services o Know how information can be used against you § Be careful when providing personal details online o Disabled saved forms (E. g. auto-filling login password) § Malicious software can gain access to your sensitive data o Disable flash and java § Disabling these browser extensions/plugins helps to eliminate the security threats. 19 AIA confidential and proprietary information. Not for distribution.

04 Secure Passwords AIA confidential and proprietary information. Not for distribution.

04 Secure Passwords AIA confidential and proprietary information. Not for distribution.

Secure Passwords • Creating Strong and Unique Passwords o Do NOT: § Create simple

Secure Passwords • Creating Strong and Unique Passwords o Do NOT: § Create simple single word passwords Ø E. g. P@55 w 0 rd § Use the same password between systems or sites § Use keyboard sequences o Do: § Try to create a password that is 12 characters or more in length § Ensure password contains both upper and lower case letters 21 AIA confidential and proprietary information. Not for distribution.

Secure Passwords • Creating and Remembering a strong password: o Mnemonic Phrases: E. g.

Secure Passwords • Creating and Remembering a strong password: o Mnemonic Phrases: E. g. § llttlso. MB@s 5 Ø Short for the phrase “I love to take long strolls on Mexican Beaches at sunset” § Dan 1 tm!lltaal Ø Short for the phrase “Dogs are number 1 to me! I like them all a lot. ” o Pass Phrases: E. g. § D 0 gsbark@mailmen! o Use Password Management Application 22 AIA confidential and proprietary information. Not for distribution.

05 Information on the Internet AIA confidential and proprietary information. Not for distribution.

05 Information on the Internet AIA confidential and proprietary information. Not for distribution.

Information on the Internet • Attackers can use the personal information that we share

Information on the Internet • Attackers can use the personal information that we share on the Internet against us. o Full Name, Birthday, Hometown, location information, past jobs, etc. o E. g. The answer to the security question to protect your account when you register an online Login ID can easily be revealed via the information you share on social networking sites like Facebook. 24 AIA confidential and proprietary information. Not for distribution.

Information on the Internet • Protection: o Put careful thought behind the information we

Information on the Internet • Protection: o Put careful thought behind the information we share online • Both personal details and • What we say and post online that can affect our security and privacy. • E. g. Does everyone really need to know that you cannot possibly be at home? o Only share the information that is absolutely necessary for your needs online. o Restrict the visibility of what you share to only those people you know and trust personally. 25 AIA confidential and proprietary information. Not for distribution.

06 Working Remotely AIA confidential and proprietary information. Not for distribution.

06 Working Remotely AIA confidential and proprietary information. Not for distribution.

Working Remotely • Nowadays, even with all the security controls in place, it could

Working Remotely • Nowadays, even with all the security controls in place, it could be easy for an attacker to hijack your network connection at some public locations and intercept your communications. 27 AIA confidential and proprietary information. Not for distribution.

Working Remotely • When working in a public place o Dos • Sit at

Working Remotely • When working in a public place o Dos • Sit at a seat where your back is against the wall of the establishment • Never leave any of your devices unattended • Keep all security controls up-to-date, and in place Ø Any required security software is in place and up to date (E. g. antivirus software) Ø Browse only secured websites, those sites start with https Ø Keep the Browsers and Operation Systems up to date • Think about what type of work you’re doing when in public spaces Ø Ask yourself: is this really a good location to do work? Ø Is the five minutes of work you will get done worth the risk of working at a certain location? 28 AIA confidential and proprietary information. Not for distribution.

Working Remotely • Securing your home WIFI o Ensure your wireless router at home

Working Remotely • Securing your home WIFI o Ensure your wireless router at home is using: § WPA 2 encryption and § Strong wireless password 29 AIA confidential and proprietary information. Not for distribution.

07 Data Protection & Destruction AIA confidential and proprietary information. Not for distribution.

07 Data Protection & Destruction AIA confidential and proprietary information. Not for distribution.

Data Protection & Destruction • Data Classification in AIA This section describes AIA’s data

Data Protection & Destruction • Data Classification in AIA This section describes AIA’s data classification. While your organization may have your own internal data classification standards for data, please ensure you understand comply to AIA’s standard while handling AIA’s data o Highly Confidential § Highly sensitive and will have a material impact on AIA’s financial performance, share price, brand reputation, etc. in the event of unauthorized disclosure § Access/use is granted strictly on a need-to-know basis and limited to named users only § E. g. Personally Identifiable Information (PII), Price sensitive information (PSI), Trade secrets, etc. o Confidential § Sensitive and will have a significant impact on AIA’s financial performance, brand reputation in the event of unauthorized disclosure § Access/use is restricted to a specific group of persons to perform necessary business operational activities only § E. g. Business strategies, New product development, marketing plans, Computer program source code developed in-house, etc. AIA confidential and proprietary information. Not for distribution. 31

Data Protection & Destruction o Restricted § Less sensitive with limited or insignificant impact

Data Protection & Destruction o Restricted § Less sensitive with limited or insignificant impact on AIA’s financial performance or brand reputation in the event of unauthorized disclosure § Access/use is intended for daily operations and is restricted for internal user only § E. g. Company policies, standards and procedures, Approved supplier list, Market or product research, etc. o Public § Disclosure of information does not pose a risk to security of physical or information resources § Information is publicly available and can be disclosed or shared with the public § E. g. Brochures, Advertisements, Website Information, Press Releases, etc. 32 AIA confidential and proprietary information. Not for distribution.

Data Protection & Destruction • How to handle sensitive data: o Do not disclose/upload

Data Protection & Destruction • How to handle sensitive data: o Do not disclose/upload AIA Restricted, Confidential and Highly Confidential information to any external website/social media. o Encrypt email attachments that contain sensitive data (e. g. Microsoft Excel files, PDF documents). The encryption password must be distributed to the recipients separately (don’t put the password in the same email, best is to call the recipient with the password). o Encrypt your laptop and encrypt files on your desktop, and especially files copied to portable media (thumb drives, portable hard discs, CD/DVDs, etc. ). o Use software to securely erase sensitive data before disposal of device/allow anyone else to use the device. o Physically destroy documents and devices with sensitive information. E. g. Shred paper documents, crush magnetic media (after secure erase) 33 AIA confidential and proprietary information. Not for distribution.

Data Protection & Destruction • Would like to find out more? o Data Loss

Data Protection & Destruction • Would like to find out more? o Data Loss Protection on Laptop/Desktop/Mobile Devices: § Install anti-virus software and keep its definitions up to date § Perform periodic full scan on system files and folders § Install latest security patches for software and Operating System § Install and enable software with remote wipe capability § Do not jail-break or root mobile devices that processes or store AIA data § Enable device password on mobile devices and change the password periodically 34 AIA confidential and proprietary information. Not for distribution.

08 Escalation of Cybersecurity Incidents AIA confidential and proprietary information. Not for distribution.

08 Escalation of Cybersecurity Incidents AIA confidential and proprietary information. Not for distribution.

Escalation of Cybersecurity Incidents Importance of Timely Escalation 1 m o In e nth

Escalation of Cybersecurity Incidents Importance of Timely Escalation 1 m o In e nth o f de sca lay lati on Case in point - Sing. Health data breach incident (2018): q Mid Jun: Despite signs of unauthorized accesses to the SCM DB, Sing. Health’s vendor (IHi. S) staff were not aware that a cybersecurity incident had occurred q 4 Jul: Data breach incident was discovered q 9 Jul: IHi. S staff escalated to their own senior management q 10 Jul: IHi. S informed Sing. Health and Cyber Security Agency (CSA) of cyber attack Repercussion: Both Sing. Health and IHi. S breached the Cybersecurity Act, which requires CSA to be notified within 2 hours of a relevant cybersecurity incident AIA confidential and proprietary information. Not for distribution. 36

Escalation of Cybersecurity Incidents AIA looks to its vendors and their sub-contractors to: §

Escalation of Cybersecurity Incidents AIA looks to its vendors and their sub-contractors to: § Put in place robust monitoring to detect unusual cyber activities and suspected data breaches, for systems and infrastructure that involve handling and processing of AIA data § Notify your business contact person(s) in AIA as soon as possible, or within the stipulated SLA, whenever an actual cyber attack has taken place affecting AIA’s data AIA confidential and proprietary information. Not for distribution. 37

I acknowledge that I have read and understood the Information Security Awareness Programme. Signature:

I acknowledge that I have read and understood the Information Security Awareness Programme. Signature: Name: Hazel Ong Date: 11 January 2019 38 AIA confidential and proprietary information. Not for distribution.