Information Security and Privacy

Mobile Web/Mobile apps (for work) Cookies Search engines - everything you search is tracked Google mapping - location tracking malicious links and scams Bluetooth and wireless security and hot spots anti-virus software Security threats in collaborative activity - sharing features Social Media Blogging & personal web sites that are tied to work Using 3rd party applications Business Continuity Planning Responding to an emergency/mishap (virus attack/stolen laptop) Information classification (company-specific?) / Data Classification Policy Business Identity Theft Advertisements (check for searching competency) Equipping yourself for Data Recovery (backups/best practices) FTP/Network protocol/network security Organizational Independence Hard Drive/USBs
To insert into network security: What makes network security vulnerable: Software bugs; Configuration mistakes; Network design flaw
Not necessarily to be included, but the following encryption software are bad choices because their passcodes can be easily broken, (and are noncompliant software for PHI): Microsoft Word password protection Microsoft Excel password protection Microsoft PowerPoint password protection Microsoft Outlook .pst file password protection Zip 2.0 encryption
To insert into network security: VPNs, Firewalls (first line of defense), VLANs, and Network Access Controls
Notes to self: Cloud Computing risks have also been broken down into: technical, legal, and organizational- but I decided this broad categorization was more helpful for an IT team developing CP protocols, not employees, and drew those risk types I felt were most relevant. Risk mitigation is not the responsibility of the Cloud SP- they do not care about the law or data protection-- it is the responsibility of a company to define guidelines for its employees use of Cloud Services. The only topic I did not include in framework that I think MAY be relevant: Loss of control to SP--> ex: Cannot know for certain that something deleted is not still on a server somewhere (but I still think this is for IT Dept. to worry about)
Information protection protocols on: handling, transmitting, storing, and disposing of information
Social media threat classifications: Phishing, XSS, CSRF (don't think this is important for employees to know).
Cookies
1. What are cookies?
  1. 1st vs 3rd party cookies
  2. New type of cookies: Flash cookies, supercookies, evercookies
  3. Functional advantages of cookies
  4. Risks
    1. Network threats
    2. End system threats
    3. Cookie harvesting threats
2. Removing, Blocking and Disabling cookies
Floating Topic
Handling Security Threats
1. Types of Security Threats
  1. Malware (or: "Malicious Software") Attacks
    1. Computer Viruses and Worms
      1. Email vs. network traveling worms
      2. Worms now more common than virus
    2. Spyware, Adware & Advertising Trojans
    3. Bots & Botnets
  2. Password Attacks (also called authentication& privilege attacks)
    1. Brute-force attack
    2. Dictionary attack
  3. Social Engineering
    1. Phishing Threats
  4. Network attacks
    1. Outside Vs. Inside attacks
    2. Bluetooth specific attacks
      1. Bluesnarfing
      2. Bluejacking
      3. Bluebugging
    3. Eavesdropping
    4. Identity/IP address spoofing
    5. Sniffer attacks
  5. Denial of Service Attacks
    1. Multiple execution methods (ping of death, smurf, teardrop)
2. Incident handling
  1. Overview of company policy on Information Security
    1. whistle-blower policy
  2. Importance of responding correctly/consequences pf negligence
  3. How to respond to a virus/malware attack or other security breach?
  4. How to respond to physical security breach?
Data Security
1. (CaaS) Information Classification and Storage Protocol
  1. Information classified according to protection and availability needs
  2. Goal: To understand which types of data require protection, and to what extent --> to understand the proper treatment of all types of data you have access to
    1. Confidentiality policies / disclosure policies
    2. Security measures / safeguards
2. Communication Protocol
  1. Selecting the right channel/medium
  2. e-mail
    1. what type of information is best communicated over e-mail?
    2. Things to keep in mid when opening e-mail/attachments
  3. Phone
    1. where to have conversations
    2. Managing phone recordings
  4. Face to Face Conversation
    1. Being mindful of who you're talking to, what to/not to share?
3. Working Remotely
  1. Why does working remotely pose a security risk?
  2. How can you setup your computer for working remote safely?
  3. What are some things to keep in mind (do's/dont's) when working remote?
  4. How to respond to a breach?
4. Physical Security
  1. Handling Hardcopies
    1. Filing/storage
    2. Disposal/Recycling
  2. Tailgating/Building Security
  3. Protecting Computers/Devices
    1. Do's/Dont's
    2. Reporting incidents
5. Highly customizable. There is a lot more to this at the IT/management level.
Staying Safe on the Internet
1. Browse Safely
  1. Searching
    1. what links to click/avoiding ads
    2. browsing history
  2. Web Cookies
    1. removing blocking and disabling /consequences of removing disabling blocking
  3. what incognito means
  4. Tools and Updates
  5. Threats from browsing
    1. what an attack looks like
    2. Responding to an attack
2. Downloading 3rd party applications
  1. What is 3rd party app?
    1. Personal.vs. work related
  2. What information does an app request access to?
  3. How could an app pose a security threat?
3. Cloud Computing
  1. What is Cloud Computing
    1. IaaS (Infrastructure as a Service), SaaS, PaaS
    2. What it means for data to be in rest, in transit, in the cloud
  2. Risks of Cloud Computing at work
    1. Data Protection
      1. Exposure/release of sensitive data
      2. Data intercepted in transit
      3. Accidental leakage of data
      4. Backup files stored on CP wrongly shared
      5. Malicious insiders
    2. Cloud service unavailability/reliability issues, or termination
      1. Loss or unavailability of needed data
    3. Use of Rogue Cloud Services / Shadow IT
      1. Poor or un-monitored employee choices
  3. Compliance to company protocols on cloud computing
    1. Safe Lists
    2. Personal responsibility for safe cloud use
4. Social Media / Blogging
  1. What you can and cannot share about your company
    1. Possible: Social Media Policy /social media componant of privacy policy
  2. Consequences of making information public
    1. Public vs. private blogging vs. anonymous blogging
      1. Use of company information in private blogs
    2. LinkedIn: Use of examples from work
  3. Malicious malware via social media
    1. Facebook
      1. Caution w 3rd party apps
      2. Regularly view and mantain apps you have downloaded.
      3. Avoiding scams/offers/click-jacking
      4. Understanding FB interface / difficulty distinguishing scams from legit
    2. Twitter: Shortened URLS (bit.ly)
      1. Detecting/checking shortened urls (hovering, link scanners, link checking services)
    3. Avoiding Phishing Messages
      1. Shared w/ friend/coworker does not make it legit
      2. Consequences: can steal log in info
5. There's a Privacy angle to this which we will address in Data Privacy
Maintaining Computer Security
1. Computer Setup
  1. Locking computers
  2. Installing Firewall, Anti-virus, Malware Detection
  3. Installing updates, Network Safety
  4. Back-up best practices
2. Network Security
  1. Different Network Types
  2. Network Configuration & Detection of Changes in Network Preferences
  3. Bluetooth and Wireless
    1. Endpoint Security (each device)
  4. Hot spots
    1. Subtopic 1
  5. Network breach sources
    1. Infiltration
    2. Exfiltration
    3. Aggregation
3. Password Safety
  1. Password Habits That Protect You (existing lesson)
  2. What Makes Passwords Vulnerable (existing lesson-might retitle)
4. Data Encryption / Authentication
  1. What is encryption and why is it used?
    1. Encrypting and decrypting
      1. Plain text vs. cipher text
      2. Good encryption passphrases
    2. Backing up data before enrypting
  2. Devices that may require encryption
    1. Hard drive
      1. What is important to encrypt on your hard drive?
    2. Mobile/portable devices
      1. Added sensitivity of Data on Portable Devices
      2. USB flash drives
      3. Determining if encryption software is built in or if you must install
      4. Smartphones
      5. Determining if encryption software is built in or if you must install
      6. Laptops
      7. Encrypting specific files vs. full disk encryption
      8. Laptops vs. Flash drive: is it better to keep sensitive files only on a flash drive?
      9. What about tablets?
  3. Activities that may require encryption
    1. Web browsing when using public WIFI
      1. What are the risks of using a public network?
      2. Using HTTPS connections
      3. How to encrypt and secure your entire browsing session
    2. Email
      1. Using encryption software to encrypt sensitive emails
  4. Encryption Software
    1. How to recognize a good encryption software?
  5. Do these belong in other topics?
5. this needs to be rolled into another track. Computer setup?
6. Not just the first time, relevant beyond