webinar-workplace acceptable use by verizon enterprise
TRANSCRIPT
This document and any attached materials are the sole property of Verizon and are not to be used by you
other than to evaluate Verizon's service.
© 2017 Verizon. All rights reserved. The Verizon name and logo and all other names, logos and slogans
identifying Verizon's products and services are trademarks and service marks or registered trademarks
and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other
countries.
All other trademarks and service marks are the property of their respective owners.
2
Proprietary statement
Please advance to the next slide where you can watch the video. The total slide deck is available for your
reference after the video. Thank you.
3
4
Agenda
1. Acceptable use policy (AUP)
defined
2. AUP—what is allowed
3. Disgruntled employee—
the Absolute Zero
4. AUP—what is prohibited
5. Partner misuse—
the Indignant Mole
6. Portable storage devices
7. USB flashdrive—
the Hot Tamale
8. Takeaways
6
Definition and purpose
An acceptable use policy (AUP) defines specific restrictions
and requirements for using company-owned information
system assets in order to protect both the company and the
user from legal and security risks.
The purpose of a workplace AUP is to outline acceptable
use of the company's information systems. A lack of
adherence to the AUP potentially exposes the company to
risk, in the form of malware, data compromise, service
reduction/denial as well as civil, criminal and regulatory,
liabilities and penalties.
Definition Purpose
7
Scope, compliance and enforcement
This policy applies to the use of information systems
and network resources, including all owned or leased
computer equipment, to conduct the company's business.
All employees, contractors, consultants and other
individuals with access are responsible for adhering to the
workplace AUP when using the company's information
systems and network resources.
The company will verify compliance to the workplace AUP
through various methods including, but not limited to,
monitoring, auditing, notifications and feedback.
An employee found to have violated this policy may be
subject to disciplinary action, up to and including
termination.
Scope Compliance and enforcement
9
Social engineering
Include clear definitions of allowed
personal use. For example, are any of
the following actions permitted, and if
so, are there restrictions?
Access to:
• News/weather
• Financial accounts
• Personal email, including attachments
• Known shopping websites
• Audio and/or video streaming
• Social media (more on that later)
10
What is allowed
Yes. Your employees are going to use
social media at work. So establish
clear policies for personal social
media use.
• Blogging and social media should be included in
the company's AUP.
• Social media users in the workplace should take
extra precautions to respect the privacy of other
workers, especially with photos and video.
• Emphasize that confidentiality and proprietary
information requirements apply to blogging and
social media.
• Include business versus personal opinion
disclaimer requirements.
11
What is allowed
Security requirements, including
remote workers and public Wi-Fi.
sans.org/security-resources/policies/general/pdf/acceptable-use-policy
• Establish policies regarding the use of company
information systems on public resources, such as
public Wi-Fi access points and publicly accessible
computers in hotel business centers.
• Establish policies for home Wi-Fi connections for
remote workers using company information
systems.
• Define password size, complexity and device
auto-lock policies. Consider multi-factor
authentication, especially for remote workers.
• If applicable, develop polices for BYOD (Bring
Your Own Device).
Disgruntled employee
13
Layoffs, pay cuts or organizational shifts may
leave some employees rationalizing nefarious
activities.
the Absolute Zero
A "pre-competitive" advantage
• A manager became disgruntled during
an organizational restructuring.
• Used admin access to take over other accounts
and download confidential files.
• The case seemed cut and dried—but the lawyers
still required digital evidence.
verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/
Human Resources
14
Disgruntled employee—the Absolute Zero
Response and investigation
• A programmer reported an app with unexpected failures.
• Suspicious log entries showed manager's account logged
into server prior to issues.
• Manager admitted accessing multiple email boxes to collect data
for use in new job.
• Investigation confirmed documents stolen; however, mass delete
commands also found.
• These commands were scheduled for critical times, such as during the
tax season.
Attack-defend card
15
Disgruntled employee—the Absolute Zero
Lessons learned
• AUP should clearly restrict unauthorized account access and reflect
safeguards such as auditing or alerting.
• Maintain a "need-to-know" regarding restructuring moves.
• Put in place an action plan to mitigate vindictive behavior by
those affected.
• As part of the transition, conduct a thorough asset inventory.
• Safeguard terminated employee systems after termination.
• Work closely with HR and Legal throughout the investigation.
17
What is prohibited
Prohibit unauthorized use of
intellectual property.
• Accessing company information assets (without
explicit permission).
• Company proprietary information, including confidential
financial information.
• Copyrighted photographs from books, magazines,
or websites.
• Copyrighted (pirated) software.
• Copyrighted music, including internal sharing or visiting
illegal downloading or streaming websites.
• Using company resources for illegal activity.
18
What is prohibited
Prohibit unauthorized use of
sensitive information.
sans.org/security-resources/policies/general/pdf/acceptable-use-policy
• Sharing accounts, including co-workers.
• Providing or sharing passwords, private encryption
keys or tokens.
• Revealing or sharing restricted material to
unauthorized parties.
• Distributing copyrighted music, including
internal sharing.
19
What is prohibited
Other suggested prohibitions.
dhs.gov/sites/default/files/publications/mgmt_directive_4900_individual_use_and_operation_of_dhs_information_systems_computers.pdf
sans.org/security-resources/policies/general/pdf/acceptable-use-policy
• Creating or forwarding chain emails.
• Personal use of company's software licenses.
• Pornographic/gambling/illegal or malicious
websites.
• Circumventing company information security
policies and requirements.
• Executing network monitoring tools on the
company's network without permission such as port
scanning.
• Running unauthorized scripts, commands or
programs.
Partner misuse
21
The broken circle of trust
• A water company was receiving reports from its enterprise
customers.
• Reports indicated incorrect changes had been made to
online account details.
• Upon review, customer bank details changed; refunds
transferred fraudulently to new bank accounts.
• The refunds totaled over £500,000, but no evidence of a
breach could be found.
Partner misuse involves semi-trusted entities
with some level of access and, either through
purposeful maliciousness or inadvertent
ineptitude, lead to a breach.
the Indignant Mole
verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/
Human Resources
22
Partner misuse—the Indignant Mole
Response and investigation
• No malicious software was present on the company's systems.
• Key stakeholders were interviewed—including a third-party call center in
India.
• A Mumbai user had accessed the accounts in question; however,
no evidence of foul play.
• His/Her home computer was examined; it had been sanitized (wiped)
of virtually all data.
• Shadow copies revealed user sent account details to a relative in UK,
who had perpetrated the crime.
Attack-defend card
23
Partner misuse—the Indignant Mole
Lessons learned
• Review in-place agreements with all partners, especially those who
have access to critical data.
• Ensure background checks occur on partner employees.
• AUP should define and mitigate external device threats such
as cell phone cameras.
• Establish data classification and limit access to sensitive data.
verizon.com/about/responsibility/cybersecurity
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
25
Portable storage devices
Portable storage devices can be a
threat to your organization—both as
a cause of infection and as a means
of data exfiltration.
• The AUP should include portable device use and security
requirements.
• Consider prescribing within the AUP that storage media
brought into the workplace and/or inserted into a company
system is subject to seizure and search.
• External storage devices can be restricted both by policy
and through software restrictions (blocking USB port
usage).
• Ensure proper virus scanning is performed if external
devices are allowed.
• Include security requirements for BYOD mobile phones
and tablets.
• Consider all the ways data can leave your facility, not only
by data storage, but also through recording devices such
as cameras and voice recorders in cell phones.
• Balance security risks with employee inconvenience
(should personal cell phones be restricted in the building?)
What other safeguards can be put in place?
USB Infection
27
The dirty cleaner
• A contracting company announced unilateral pay cuts; an
outsider offered "bonus pay'" to a janitor in need
of cash.
• The task was simple: at night, plug a USB flash drive into
company systems.
• Several systems were suspected of being accessed by an
external entity via malware.
Threat actors with physical access can
introduce toolkits, built to run directly from the
USB device itself,
to bypass access controls.
the Hot Tamale
verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/
Internal Investigator
28
USB infection—the Hot Tamale
Response and investigation
• Domain log searches for IoCs identified several accessed by
admin account.
• System log analysis revealed suspicious CLI-related exploitation
attempts just after USB device introduced to systems.
• Investigation found malware tied to this activity, to include
USB device.
• Timeline analysis led investigators to janitorial staff; needless to say,
janitor was terminated.
Attack-defend card
29
USB infection—the Hot Tamale
Lessons learned
• AUP should address USB device usage, to include approved devices;
consider also including the right to seize unauthorized devices.
• Ensure anti-virus solutions are configured to automatically scan
removable devices for viruses.
• Disable USB device auto-run functionality.
• Limit local admin account usage.
30
Takeaways
• Put in place an AUP that defines specific restrictions and
requirements for using company-owned information
system assets in order to protect both the company and
the user from legal and security risks.
• AUP should reflect corporate culture while protecting
both the company and the user from unacceptable,
inappropriate, malicious or dangerous activities.
• Create an AUP that supports and ties in to other
company policies, standards and guidelines.
• Regularly review and audit the AUP and update it to
meet the challenges of an ever-evolving cyber threat
landscape.
31
Cybersecurity awareness resources2017 Data Breach Investigations Report
The Verizon Data Breach Investigations Report (DBIR) is back. Now in its tenth year, it's an unparalleled source of information on
cybersecurity threats.
verizonenterprise.com/verizon-insights-lab/dbir/2017/
2017 Data Breach Digest: Perspective is Reality
Our 16 new cybercrime case studies provide insight into the biggest threats you face—plus tips on how to prevent them.
verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/
Insider Threat: Protecting the Keys to the Kingdom
Discover how to spot the signs of an Insider Threat using our cybercrime case studies and in doing so put measures in place to help
protect the keys to your kingdom.
verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/
Verizon Product Responsibility
Securing yourself against cyber attacks (covers five data breach scenarios).
verizon.com/about/responsibility/cybersecurity
Verizon Corporate Responsibility
Cybersecurity tips to help you stay safe online (covers the same five scenarios as above).
verizon.com/about/news/cybersecurity-tips-help-you-stay-safe-online