Cyber Security Awareness Training For Employees (FULL Version)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] [Music] [Music] fishing if someone wanted to catch their own seafood dinner they would set some bait on a hook cast it into the wide ocean and hope that they could trick a fish into biting what it thinks is just something to eat if someone wants to distribute malware or steal personal information they might send out an email with bait that looks like something worthwhile and then cast it to a wide audience intentionally deceiving people by posing as a legitimate company service or individual criminals typically utilized email to pretend to be a company or service requesting that you do something usually urgently they're hoping that you then click the link and fill out the requested information once they have this information they may be able to use it in the future to steal your identity or access your accounts an even more direct and targeted method is called spear phishing instead of going after many victims for a small reward the criminal goes after an individual or a small number of high-value victims this method uses information tied to your company or to you personally from research on social media or elsewhere email addresses and links look very close to a colleague or business partner and corporate and partner logos are often used to look authentic the goal is typically to get access to a system by gathering your credentials or to install malware on your computer so what should you be looking out for with phishing emails well first look at the sender is it actually who it claims to be it may say it's from PayPal but when you look at the domain name the part after the @ symbol it has nothing to do with PayPal at all another towel is grammatical or spelling errors contained in the email and finally if you mouse over the login link at the bottom you'll notice that it does not say PayPal calm these tails reveal that this email is not from the real paypal usually the tells are fairly easy to spot when you know what to look for but sometimes they're much more subtle maybe only off by a letter or two or just inverted the safest practice is to never click on a link in an email but instead to go directly to the site by typing in the URL clicking on the link in your favorites or performing a search for the organization some of the top tips to avoid phishing are check who the email sender really is check the email for grammar and spelling mistakes mouse over the link to see where it goes to if you are ever at all unsure do not click the link instead manually type in the company's URL in your browser contact your IT security team if you're unsure at all about an email you email attachments everyone knows better than to open the door to a suspicious stranger with a bag and let them inside but this is actually a very common occurrence in the digital world email attachments are one of the most common ways to get infected with malware it's critical that you avoid opening an attachment if you don't know who an email us coming from even though it may look like an excel file a PDF an image or something else it may in fact be malicious a downloaded attachment can sometimes immediately infect your computer or may execute a macro after opening a document such as Word or Excel your IT department may put rules in place to keep certain types of attachments from being sent or received but even if so be sure to always be cautious before opening anything and let your IT department know if you think you receive a sketchy email be cautious also with attachments from people you do know check the address of the sender to make sure it's who it says it is and not someone impersonating them even if it is from the correct address their email could have been hacked and used to trick you into opening something malicious if the email seems fishy or isn't typical of them do not open the attachment when in doubt connect with your IT security team or follow other company policies or suspicious emails and call or text the sender and ask if they actually sent the email if they did not let them know they should change their email password and security questions because they were probably breached let's review the top tips for email attachments never open or save attachments from an unknown sender even when an email comes from someone you trust if it looks fishy don't open or save the attachment let your IT department know if you receive a suspicious email as your obnoxious Lea where everyone gets spam even with the best protection some spam email still slips through the cracks but you can use applications or extra levels of defense that can help when it comes to spam emails never open them even if you think the subject line is funny or useful and you really want to see the content inside the reason for this is many times these spam providers have read receipts on the email they sent this means they know how many people open their emails and which email addresses open their emails they also know that your email address is legitimate and there is a person who is actively checking that email address by opening their spam email you've just told the spammers send this person even more spam the same thing goes with responding to spam emails you're letting them know you exist and that you're a real person initially they'll send out spam to every email address they can think of computers randomly generate email addresses not knowing whether an email address is valid or not they're testing the waters and seeing where they get bites also be very careful when using your email address to sign up for contests or enter websites often when someone is offering something for free or requesting your email address for something they're going to sell that email address to marketing and other companies to make money which results in even more spam when posting your email to a public website such as a classified website always add special breaks in your email address don't write out your email address with the proper @ sign or the proper period symbol because you don't want that link to be easily copied and pasted or clicked on spam bots are trolling the internet looking for email addresses to send spam to and changing to this format prevents them from easily collecting your address but humans reading that email address can still understand it perfectly the top tips for spam protection are use a third party spam blocker never click open or respond to spam messages when posting email to classified sites use the following format to keep spam bots from retrieving and using your address [Music] can these answers be found on your Facebook account or other social media accounts things like in what city did you grow up what's your dog's name what high school did you attend what's your favorite book what's your dream job what's your mother's maiden name it's very risky to post this information on social media because of security questions security questions exist on just about every website that requires a username and a password so for instance does something like this look familiar it asks you to first enter your birthday then it asks you for the answers to your security questions such as those I just mentioned these are things that friends know that family members know and that anyone who is a social media connection can likely find out typically users are very honest when it comes to security questions whenever it asks for their mother's maiden name they enter their mother's maiden name whenever they ask for their pet's name they entered their pet's name malicious parties can utilize your social media account to find the answers to these questions which then allows them to reset your password this is especially a concern when people's Facebook Twitter or other accounts are public anyone can search the internet find your account then view the information on that account the best practice is to not be honest when filling out these questions just treat the security questions as another password field if it asks you for your pet's name don't enter your pet's name enter something completely unrelated if it asks for your mother's maiden name do the same thing and do something completely unrelated now you don't have that security concern of giving strangers answers to these questions poor password hygiene is another security risk typically people use the same password across all websites passwords can now be a gateway into identity theft that's because everything that we do in nowadays is on the Internet banking is done on the Internet social media accounts are in the internet email and almost everything else once people gain access to your passwords they can ruin your life by changing them sending emails to people and accessing accounts you don't want them to access so what kind of things indicate poor password hygiene first you have to create a complicated password based off a website's requirements because the password is kind of complicated you have trouble remembering it so you write it down on a sticky note and slip it under your keyboard or you might have an Excel document on your computer with all of your passwords you may not realize that if somebody walks by your desk they can see what your passwords are or if someone steals your computer they have access to all of your passwords as well also chances are you've used the same password on your email banking or social media accounts additionally freely sharing passwords with friends family members and colleagues may not seem like a problem because you may think they're never going to use it in any sort of malicious way but you can never be sure when it comes to passwords and password complexity this is what users typically do if it's an eight character password they put in something like elephant if it requires a number they just toss a number on the end of their core password if a symbol is required they put a symbol than an exclamation point on the end then they capitalize a letter so if you notice these passwords really aren't getting any more complicated if I knew your password was elephant then I could go to a website see what requirements that says are needed for a strong password on this site then toss in a number or a symbol if that's what's required it makes it much easier to find out what your password is if you follow this process often to help avoid data breaches some passwords are required to change every 90 days because some people don't understand why they have to do this they see this as an annoyance and they end up just changing the number and the symbol at the end then they go to the next button on the keyboard because it helps them remember their passwords once again you have that core password that is never changing at all but after your password is stolen it's very simple for people to try all of the alternative options of the password so for instance if a data breach happened and the password that was stolen was elephant they would go to a website maybe Facebook maybe your email and look to see what requirements they have for making a password for instance if a website requires 8 characters and a symbol there are only 32 symbols on the keyboard so it would take a human 5 or so minutes to go ahead and crack that password by trying all of the different options computers can carry out these tasks in fractions of a second except instead of trying one website they're trying hundreds of websites all at the same time trying that password that was just stolen and all of the different variations on that password numbers symbols and so forth so it becomes very easy to take over all of your accounts if just one is compromised so how do you help yourself to remember passwords or to create strong passwords there are lots of password managers out there that will help you create a strong password and will even autofill your passwords into your web browser so whenever you start a new web session it will ask you to enter your master password which is something you should keep very complicated and you should never tell anyone then once you enter that master password if you go into any website that requires a username and password it will automatically be completed for you so now you have one master password but every website on the Internet will have its own unique password if at any point a website or account is compromised you don't have to go and change hundreds of websites passwords you just have to go change the one place where it was compromised it saves you time and it makes things much safer a great resource to know about when it comes to data breaches and passwords that are out there is what I like to call a password hygiene checkup it comes from this website right here it currently checks over 210 website data breaches across those 210 websites there have been two point six billion copper user names and passwords so treat it like a credit check run it every so often you can actually sign up for notifications so if there's ever a new data breach and your account was part of it they'll let you know then you can go and change the password and your security questions on that website if a data breach happens make sure to change not just your password but change those security questions as well because those might also have been compromised two-factor authentication is a way to protect you against weak or compromised passwords email is the most important account needing protection because if someone gains access to your email they can use the password reset function to gain access to other services typically when you click the password reset button it sends you an email asking you did you attempt to reset your password then you just click a link and enter in your new password two-factor authentication protects against this by requiring something you know your password with something you have like your mobile device where a one-time password or push authentication is sent in order to get in make sure to enable two-factor authentication everywhere that you see it's available lots of businesses are now starting to adopt two-factor authentication and most personal websites like email social media and banking websites are all moving to two-factor authentication or already have it implemented once set up an attacker can't break into your email account without both your password and possession of your mobile phone for the best security make sure your device has a strong password or uses the fingerprint reader or face recognition to protect it if it's lost or stolen this third security factor means someone would need three different things to break into your email when possible use a mobile application for two-factor authentication or enable push authentication for your device this is more secure than using SMS or text messages because SMS you your cellular service while not coming if an attacker gets your phone they don't have to know your password or use your fingerprint to get the SMS one-time password they could just take the SIM card out of the phone plug it into another phone and receive text messages with the one-time password to authenticate whatever account they're trying to access the top tips for password safety are make sure to use unique passwords across all websites and all applications enable and utilize two-factor authentication on all web sites that allow it when you're creating your answers to security questions make sure to choose unique non true answers so you don't have to worry about someone resetting your password by knowing information about your personal life or finding information on your social media accounts finally if a data breach does occur make sure to fully change your password not just the number and symbol and make sure to change your security question answers as well [Music] there are many types of infections including computer viruses worms Trojans rootkits ransomware and spyware often several of these combined into one attack one type discussed frequently this year is ransomware which encrypts all of your files so that you lose access to them then asks you to pay a ransom in order to regain access but usually despite paying you never regain access to your files anyway malware continues to grow this graph from av-test shows the growth of malware over the years on the left side is the total number of malware grouped by year now we're at a point where on average we see about 390 thousand unique threats per day unique threats aren't extremely dissimilar they're often changed in the smallest amount possible to evade detection that could be one little part of the code or one bite of the application malicious threats are targeted in order to have a higher penetration rate or success rate malicious actors will research who they're trying to attack are they using the Windows operating system what antivirus are they using if any then once they have that information they can build their malware in order to penetrate into those exact environments once they're ready and their malware is successful then they can deploy it directly to the target attackers are often specifically targeting businesses and industries they're making sure their malware has the best chance to succeed in those places does malware target only the Windows operating system this is probably the most common question we get asked malware definitely exists on other operating systems outside of Windows however Windows is typically the main target because it has the highest market share and malware authors want a large penetration rate they want to infect as many systems as possible so that means deploying malware designed for Windows because of its broad market share they don't have to do as much work in order to take over as many computers as possible however when new malware is released on other operating systems it typically has a very high penetration rate as well because people believe that their Android devices their Macs and their Linux devices are safe without having any endpoint security at all so when a piece of malware gets deployed to those os's they don't have any protection to prevent it from getting on their systems and they have nothing in place to detect if their system is infected that malware will remain there for a very long time until something starts running funny or they start wondering what's going wrong then they run a scan to see what might be happening only to find out that they've been infected for several months is malware on mobile phones that's another common question we get asked mobile phone malware is a growing threat due to users doing the majority of their internet browsing on a cell phone people are doing banking and social media on their cell phones and because of this ransomware or screen locking malware is a very popular threat to mobile devices in fact in 2016 there was a sharp increase in malware targeting apple iOS devices one thing to know about iOS devices is that unfortunately Apple does not allow software security vendors to create antivirus protections for their products so users must depend on Apple themselves to fix any vulnerabilities or malware that gets on their devices with all this about malware how does my in computer get infected one of the most common ways computers or devices like cell phones get infected is clicking on malicious links in email another is plugging in an unknown flash drive maybe you found a flash drive in the parking lot or at the store you pick it up you take it home or to work and you plug it in lots of times people place infected drives on purpose to try and purposely infect systems with that flash drive a third way of getting infected is downloading malware that's masquerading as other software when you go to the internet looking for a piece of software you find one that looks like what you want and download it once it gets on your computer you realize it's a virus or you get an attachment in an email and you open it up because it says that it's a Word document but it's really not a word document and you get a virus mobile devices get infected very much in the same way in addition they can get infected by downloading apps directly from the internet rather than via the official stores Google Play Store and Apple's App Store this is a very easy way to get malware because now you don't have Google and Apple verifying that these apps are legitimate the top tips to avoid malware are install endpoint security on all devices not just those running Windows be very careful what you plug in to any of your devices be very careful on what you click and finally get awareness training not just for yourself but for your entire family so they're aware of the pitfalls and dangers that go along with cybersecurity [Music] public Wi-Fi is a non secure or non password-protected network that users can connect to for free typically they're found in hotels coffee shops libraries and other public places when connecting to a public Wi-Fi don't assume that the network named library is actually the wireless network for the public library lots of times malicious actors will set up their own Wi-Fi hotspot they may call it the public library or the hotel in the hope that unsuspecting users will connect to these fake networks then send information over them which can be intercepted this is why it's very important to verify the actual name of the Wi-Fi network with the business to make sure you're connecting to the proper one and not to a malicious Network since public Wi-Fi in general is very insecure you should treat every single public Wi-Fi connection as compromised or unsafe what this means is you should not use any sensitive websites including your banking in social network sites while on public Wi-Fi this is because all of that data can be intercepted by someone else on that network or it could be a fake or malicious network exposing all of your passwords and all of that data you've just entered while connected if you need to access any of these sensitive websites use your cellphone and do not connect it to Wi-Fi this makes it much harder for someone to steal any information you're sending over the Internet the top tips for using public Wi-Fi are verify the Wi-Fi name with the business owner prior to connecting treat all connections on public Wi-Fi as compromised or unsafe and utilize an endpoint security product to help prevent against cyber attacks while connected you've probably heard about the Internet of Things sometimes it's referred to as IOT the Internet of Things refers to any non-traditional devices that are connected to the Internet so it's not computers tablets or cell phones but things like thermostats cameras on doorbells or even your refrigerator that connect to the Internet they allow you to change the temperature in your home while you're away see who might be at your front door or even show you what's in your refrigerator these things are all very interesting and convenient but they open up a security hole because now your camera or thermostat can be accessed via the Internet and if somebody is able to guess or discover your password they can connect to it as well sometimes people forget to change the default password on these devices they take them out of the box plug them in and then connect to them or they might buy a camera and not realize that it includes web access if it does enable web access and you're not going to use it make sure to disable this feature make sure all of your devices are kept up to date just like your computer or mobile devices IOT devices have regularly released updates which add features fix bugs and close security holes you always want to make sure all of your Internet of Things devices are running the latest version of their software you can do this by looking at the vendor or manufacturers website or by logging into your device itself if you don't know how to do this you can find out by reading the manual or looking at the vendors website when you log in they will typically tell you if the device is out of date or not now let's talk about routers which are the first line of defense to protect Internet of Things devices from exploitation just about everyone who has internet access has a router lots of people don't realize that routers should immediately be changed from the default username and password to something unique this doesn't mean the name of your wireless internet or your wireless password to get on the internet but the username and password that's used to log into the device itself to make changes to your wireless network if left as the default a criminal knows the password for anyone who has an X brand router changing it to a strong password makes it harder for anyone to get into that router and make changes or compromise your security in any way if someone gains access to your router they can see all of the other devices on your network now they can find out which devices they can take over and utilize for their benefit such as watching the cameras you have connected to the Internet make sure your router is regularly updated to the newest patches and to the newest firmware you do that in the same way as you would do it with Internet of Things devices you can log into the router itself and see if it tells you if there's a new version or not or go to the vendors website look up the model that you have and see if there are any updates out if there are follow their guide to get the newest and latest version of the software to make sure that your security won't be compromised the top tips for staying safe while using Internet of Things are change the default username and password on all devices including your routers if you do not utilize web features disable them on all Internet of Things devices make sure all of your Internet of Things devices including routers are kept up to date with the newest firmware or patches that are provided H TPS is a protocol for secure communication over a computer network which is widely used on the Internet it's typically notated by displaying a green lock in the web address bar basically HTTPS is making sure that your traffic is being sent from you to whatever party is requesting it without anyone in the middle reading it or intercepting it so it's sending it securely to the web site you're on no sensitive information should be typed into a page that is not secured by HTTPS if there's a page requesting your information like your phone number your email or other things like your credit card or social security number make sure that it's secured by HTTPS before you type in any of that information submitting information to a site without HTTPS is similar to leaving your credit card out in the open on a table because anyone walking by could note the information and use it for their gain however even though a page is secured by HTTPS it does not automatically mean the page is safe sometimes people make it look like it's HTTPS by putting fake icons in place and displaying on the screen that it's HTTPS or even though the information you send gets securely to the recipient they may not be reputable and could be using it maliciously of course if it's a big-name website it's probably reputable but when in doubt search the name of the website in a search engine and review the results that are unaffiliated with the website most browsers nowadays have begun to let users know more easily when they are on a non secure page many browsers show a notification in your address bar saying this is not secure or they make you click continue when you're going to a page that's not secure letting you know that this is not a place where you should be entering in any sort of sensitive or confidential information the top tips regarding the use of secure web sites are be very careful where you enter in sensitive information check to see if the site is secured by HTTPS and heed the warnings your browser gives you don't focus on what the texts or icons say on the page itself instead look in the address bar because that's where the browser will be telling you whether it's secure or not then check to make sure this is a reputable website before entering a credit card number or other sensitive information also look for misspellings grammatical errors and icons that don't look right as good identifiers that this is not a website where you want to enter your information a web content filter screens web traffic based on pre-configured policies set by the administrator what that means is the administrator could decide they don't want people to be able to use Facebook or go to shopping websites or sports sites like fantasy football you can put rules in place to keep employees from doing this usually there are both home versions a corporate versions of filtering software the home versions primarily focus on child safety you can prevent your kids from going to specific websites like YouTube or other video sites or from stumbling upon content they shouldn't be viewing corporate versions of filtering software focus on increasing employee productivity by reducing the non company related sites to which users can browse if Facebook is allowed at work that sometimes leads employees to surf Facebook for several hours a day or their shopping engaging in fantasy football following sports reading the news and so forth so web content filtering cannot only restrict to what sites users can go but can also restrict how much time they could spend on certain sites web content filtering can also be used to filter malicious content and protect the user by implementing a Web Content filter not only can it help with productivity or help protect your kids from going to bad websites but it can also help to protect you from any sort of malicious content or advertisements the top tips about web content filters are use web content filtering at work to increase employee productivity by helping them focus on work-related activities curb risky user behavior and reduce malware exposure by preventing access to links from email or web searches that lead to risky websites use web content filtering at home to protect children's mobile devices and computers from displaying inappropriate content the Internet is vast and there are lots of different components to consider for internet protection let's start with something that most people use every day search engines nowadays users use search engines to ask every question they can think of at work they're typing in questions on how to do their job find a formula look up a word create a plan download a document or a template that is already formatted for their needs and much more and they're searching for things that they shouldn't be searching for at work how to download the newest music or movie or watch a certain TV show the problem is they're also clicking on the search results without first checking if it's a legitimate site this commonly happens on social media websites as well because their friend posted something that means it must be safe right so they click on the link and they get infected both with search engines and social media just because it's posted by your friend or just because the result comes up in a search doesn't mean it's legitimate and safe at all even if a website is reputable an advertisement being displayed could be malicious and infect your computer or mobile device so you need to be concerned not just about websites but also about advertisements next free things such as music movies game cheats or more are very commonly filled with malware and they are rarely what they say they are so not only is piracy a crime but malicious actors prey on people who are looking for free things they aren't always illegal or pirated things like music or movies but often are other things like documents to help you with your business or free marketing plans and so forth some great tips to remember when using search engines are stick to clicking on sites on the first page of results after you start going past the first page start being very cautious about things that you click on because that's when you're getting into results that are not as reputable not as commonly clicked on and don't have as much related content be careful when clicking on non name recognizable sites as you don't know where it's going to take you be very careful when you're downloading anything that says it's free because even if it is actually free and it's a legitimate download they might put something on your computer that you didn't want or something that is malicious [Music] social engineering is the manipulation of people into disclosing confidential or sensitive information most commonly it's done over email but it's also regularly carried out over the phone or in person it can be a slow gain of information or it can be an attempt to gain all the information needed at once one example of this is if someone calls the office and asks who's the boss or who's the CEO then they request his or her email address and maybe they request their phone number now that attacker has the username as well as the name of the person they need to target in order to compromise the business so any pieces of information they can grab can be used in future attacks another common example is when a person walks into the office and pretends to be a contractor or delivery person due to their uniform people assume that they can be trusted then that person walks into a room with sensitive information steals it and walks out of the office you may not realize that there's a risk taking a phone call or letting someone into an office but information they gather can be used to steal your identity steal data related to your company or do other malicious actions this is a great tip for your personal life or your home life as well because if somebody calls saying they're from the credit-card company the IRS some vacation resort or someone says that they're lost or they're out of money in a country call them back and see if it really is who they say they are the top tips regarding social engineering are be very careful with the information you disclose and to whom you disclose that information verify the credentials of all contractors don't just go by what their uniform looks like if you have any doubts on the identity of the caller's or visitor's call their official company to verify who they are insider threats when it comes to cyber crimes a lot of the focus is centered on external threats and on the individuals who actively attempt to cause harm and damage whether by infecting a computer system with malware fishing for information or through the encryption of files for ransom however more and more enterprises are beginning to recognize the dangers posed from within and how insider threats can be just as devastating as their external equivalents but who is an insider insiders can be current or former employees business partners contractors or anyone who has or had access to an organization systems or data insider threats can occur in many ways a disgruntled employee may maliciously access sensitive data for personal gain an employee could unwittingly expose a company's sensitive data by becoming victim to phishing or social engineering activities providing an external infiltrator with insider access but whatever the means insider threats can result in financial loss data theft loss of physical assets reputation damage and more so what can you do to help protect your business from the inside to help combat these threats follow these steps number one increase your employee awareness to cyber criminal tactics and teach them how to recognize phishing social engineering and other attack vectors number two implement a data use policy usually part of an acceptable use policy or AUP which spells out what employees may and may not do with information owned by or entrusted to an organization referring to security privacy and proper management employees must read and accept the data use policy and understand the consequences of breaking the rules number three implements security tools to help prevent protect detect and respond to security incidents these may include a reputable antivirus software encryption products choose back to authentication and in some cases threat monitoring services number four finally consider physical security as part of your data protection plan including badge access to the workplace strict password and account management policies and limited access to sensitive information to only those who need it through these practices business can improve their overall security posture and better protect themselves from these types of threats [Music]
Info
Channel: Burgi Technologies
Views: 144,381
Rating: undefined out of 5
Keywords:
Id: wygwHXYj_TI
Channel Id: undefined
Length: 43min 1sec (2581 seconds)
Published: Sun Feb 09 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.