webinar-workplace acceptable use by verizon enterprise

Workplace acceptable use

Rebecca Meller

Security Product Marketing

December 2017

This document and any attached materials are the sole property of Verizon and are not to be used by you

other than to evaluate Verizon's service.

© 2017 Verizon. All rights reserved. The Verizon name and logo and all other names, logos and slogans

identifying Verizon's products and services are trademarks and service marks or registered trademarks

and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other

countries.

All other trademarks and service marks are the property of their respective owners.

2

Proprietary statement

Please advance to the next slide where you can watch the video. The total slide deck is available for your

reference after the video. Thank you.

3

4

Agenda

1. Acceptable use policy (AUP)

defined

2. AUP—what is allowed

3. Disgruntled employee—

the Absolute Zero

4. AUP—what is prohibited

5. Partner misuse—

the Indignant Mole

6. Portable storage devices

7. USB flashdrive—

the Hot Tamale

8. Takeaways

Acceptable use policy defined

2017 cybersecurity awareness month

6

Definition and purpose

An acceptable use policy (AUP) defines specific restrictions

and requirements for using company-owned information

system assets in order to protect both the company and the

user from legal and security risks.

The purpose of a workplace AUP is to outline acceptable

use of the company's information systems. A lack of

adherence to the AUP potentially exposes the company to

risk, in the form of malware, data compromise, service

reduction/denial as well as civil, criminal and regulatory,

liabilities and penalties.

Definition Purpose

7

Scope, compliance and enforcement

This policy applies to the use of information systems

and network resources, including all owned or leased

computer equipment, to conduct the company's business.

All employees, contractors, consultants and other

individuals with access are responsible for adhering to the

workplace AUP when using the company's information

systems and network resources.

The company will verify compliance to the workplace AUP

through various methods including, but not limited to,

monitoring, auditing, notifications and feedback.

An employee found to have violated this policy may be

subject to disciplinary action, up to and including

termination.

Scope Compliance and enforcement

Acceptable use policy—what is allowed


9

Social engineering

Include clear definitions of allowed

personal use. For example, are any of

the following actions permitted, and if

so, are there restrictions?

Access to:

• News/weather

• Financial accounts

• Personal email, including attachments

• Known shopping websites

• Audio and/or video streaming

• Social media (more on that later)

10

What is allowed

Yes. Your employees are going to use

social media at work. So establish

clear policies for personal social

media use.

• Blogging and social media should be included in

the company's AUP.

• Social media users in the workplace should take

extra precautions to respect the privacy of other

workers, especially with photos and video.

• Emphasize that confidentiality and proprietary

information requirements apply to blogging and

social media.

• Include business versus personal opinion

disclaimer requirements.

11

What is allowed

Security requirements, including

remote workers and public Wi-Fi.

sans.org/security-resources/policies/general/pdf/acceptable-use-policy

• Establish policies regarding the use of company

information systems on public resources, such as

public Wi-Fi access points and publicly accessible

computers in hotel business centers.

• Establish policies for home Wi-Fi connections for

remote workers using company information

systems.

• Define password size, complexity and device

auto-lock policies. Consider multi-factor

authentication, especially for remote workers.

• If applicable, develop polices for BYOD (Bring

Your Own Device).

Disgruntled employee —the Absolute Zero


Disgruntled employee

13

Layoffs, pay cuts or organizational shifts may

leave some employees rationalizing nefarious

activities.

the Absolute Zero

A "pre-competitive" advantage

• A manager became disgruntled during

an organizational restructuring.

• Used admin access to take over other accounts

and download confidential files.

• The case seemed cut and dried—but the lawyers

still required digital evidence.

verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/

Human Resources

14

Disgruntled employee—the Absolute Zero

Response and investigation

• A programmer reported an app with unexpected failures.

• Suspicious log entries showed manager's account logged

into server prior to issues.

• Manager admitted accessing multiple email boxes to collect data

for use in new job.

• Investigation confirmed documents stolen; however, mass delete

commands also found.

• These commands were scheduled for critical times, such as during the

tax season.

Attack-defend card

15

Disgruntled employee—the Absolute Zero

Lessons learned

• AUP should clearly restrict unauthorized account access and reflect

safeguards such as auditing or alerting.

• Maintain a "need-to-know" regarding restructuring moves.

• Put in place an action plan to mitigate vindictive behavior by

those affected.

• As part of the transition, conduct a thorough asset inventory.

• Safeguard terminated employee systems after termination.

• Work closely with HR and Legal throughout the investigation.

Acceptable use policy —what is prohibited


17

What is prohibited

Prohibit unauthorized use of

intellectual property.

• Accessing company information assets (without

explicit permission).

• Company proprietary information, including confidential

financial information.

• Copyrighted photographs from books, magazines,

or websites.

• Copyrighted (pirated) software.

• Copyrighted music, including internal sharing or visiting

illegal downloading or streaming websites.

• Using company resources for illegal activity.

18

What is prohibited

Prohibit unauthorized use of

sensitive information.


• Sharing accounts, including co-workers.

• Providing or sharing passwords, private encryption

keys or tokens.

• Revealing or sharing restricted material to

unauthorized parties.

• Distributing copyrighted music, including

internal sharing.

19

What is prohibited

Other suggested prohibitions.

dhs.gov/sites/default/files/publications/mgmt_directive_4900_individual_use_and_operation_of_dhs_information_systems_computers.pdf


• Creating or forwarding chain emails.

• Personal use of company's software licenses.

• Pornographic/gambling/illegal or malicious

websites.

• Circumventing company information security

policies and requirements.

• Executing network monitoring tools on the

company's network without permission such as port

scanning.

• Running unauthorized scripts, commands or

programs.

http://www.sans.org/security-resources/policies/general/pdf/acceptable-use-policy

http://www.sans.org/security-resources/policies/general/pdf/acceptable-use-policy

Partner misuse —the Indignant Mole


Partner misuse

21

The broken circle of trust

• A water company was receiving reports from its enterprise

customers.

• Reports indicated incorrect changes had been made to

online account details.

• Upon review, customer bank details changed; refunds

transferred fraudulently to new bank accounts.

• The refunds totaled over £500,000, but no evidence of a

breach could be found.

Partner misuse involves semi-trusted entities

with some level of access and, either through

purposeful maliciousness or inadvertent

ineptitude, lead to a breach.

the Indignant Mole


Human Resources

22

Partner misuse—the Indignant Mole


• No malicious software was present on the company's systems.

• Key stakeholders were interviewed—including a third-party call center in

India.

• A Mumbai user had accessed the accounts in question; however,

no evidence of foul play.

• His/Her home computer was examined; it had been sanitized (wiped)

of virtually all data.

• Shadow copies revealed user sent account details to a relative in UK,

who had perpetrated the crime.

Attack-defend card

23

Partner misuse—the Indignant Mole

Lessons learned

• Review in-place agreements with all partners, especially those who

have access to critical data.

• Ensure background checks occur on partner employees.

• AUP should define and mitigate external device threats such

as cell phone cameras.

• Establish data classification and limit access to sensitive data.

verizon.com/about/responsibility/cybersecurity

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

http://www.verizon.com/about/responsibility/cybersecurity


Portable storage devices


25

Portable storage devices

Portable storage devices can be a

threat to your organization—both as

a cause of infection and as a means

of data exfiltration.

• The AUP should include portable device use and security

requirements.

• Consider prescribing within the AUP that storage media

brought into the workplace and/or inserted into a company

system is subject to seizure and search.

• External storage devices can be restricted both by policy

and through software restrictions (blocking USB port

usage).

• Ensure proper virus scanning is performed if external

devices are allowed.

• Include security requirements for BYOD mobile phones

and tablets.

• Consider all the ways data can leave your facility, not only

by data storage, but also through recording devices such

as cameras and voice recorders in cell phones.

• Balance security risks with employee inconvenience

(should personal cell phones be restricted in the building?)

What other safeguards can be put in place?

USB infection—the Hot Tamale


USB Infection

27

The dirty cleaner

• A contracting company announced unilateral pay cuts; an

outsider offered "bonus pay'" to a janitor in need

of cash.

• The task was simple: at night, plug a USB flash drive into

company systems.

• Several systems were suspected of being accessed by an

external entity via malware.

Threat actors with physical access can

introduce toolkits, built to run directly from the

USB device itself,

to bypass access controls.

the Hot Tamale


Internal Investigator

28



• Domain log searches for IoCs identified several accessed by

admin account.

• System log analysis revealed suspicious CLI-related exploitation

attempts just after USB device introduced to systems.

• Investigation found malware tied to this activity, to include

USB device.

• Timeline analysis led investigators to janitorial staff; needless to say,

janitor was terminated.

Attack-defend card

29


Lessons learned

• AUP should address USB device usage, to include approved devices;

consider also including the right to seize unauthorized devices.

• Ensure anti-virus solutions are configured to automatically scan

removable devices for viruses.

• Disable USB device auto-run functionality.

• Limit local admin account usage.

30

Takeaways

• Put in place an AUP that defines specific restrictions and

requirements for using company-owned information

system assets in order to protect both the company and

the user from legal and security risks.

• AUP should reflect corporate culture while protecting

both the company and the user from unacceptable,

inappropriate, malicious or dangerous activities.

• Create an AUP that supports and ties in to other

company policies, standards and guidelines.

• Regularly review and audit the AUP and update it to

meet the challenges of an ever-evolving cyber threat

landscape.

31

Cybersecurity awareness resources2017 Data Breach Investigations Report

The Verizon Data Breach Investigations Report (DBIR) is back. Now in its tenth year, it's an unparalleled source of information on

cybersecurity threats.

verizonenterprise.com/verizon-insights-lab/dbir/2017/

2017 Data Breach Digest: Perspective is Reality

Our 16 new cybercrime case studies provide insight into the biggest threats you face—plus tips on how to prevent them.


Insider Threat: Protecting the Keys to the Kingdom

Discover how to spot the signs of an Insider Threat using our cybercrime case studies and in doing so put measures in place to help

protect the keys to your kingdom.


Verizon Product Responsibility

Securing yourself against cyber attacks (covers five data breach scenarios).

verizon.com/about/responsibility/cybersecurity

Verizon Corporate Responsibility

Cybersecurity tips to help you stay safe online (covers the same five scenarios as above).

verizon.com/about/news/cybersecurity-tips-help-you-stay-safe-online

http://www.verizon.com/about/news/cybersecurity-tips-help-you-stay-safe-online

http://www.verizon.com/about/news/cybersecurity-tips-help-you-stay-safe-online



http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/




Thank you.


Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or

distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.

webinar-workplace acceptable use by verizon enterprise

Technology