You are on page 1of 105

Copyright@2017 by Godrej & Boyce Mfg. Co. Ltd.

All rights reserved


Information Technology (IT) Assets Guidelines

1 I Godrej I Title of presentation I Date


CONTENT

Why Cybersecurity?

Initiatives Taken by the Organization

The G&B Guidelines

Cyber security Champions

Types of Cyber Security Threats:

Malware

Social Engineering

Phishing

2 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
WHY CYBER SECURITY?

3 I Godrej I Title of presentation I Date


3 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
GLOBAL ATTACKS ARE ON THE RISE.

4 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
ITS NOT JUST BANKS & TELECOM COMPANIES ANY MORE
ATTACKS ON MANUFACTURING COMPANIES ARE ON THE RISE

5 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
EMPLOYEES ARE THE FIRST AND LAST LINE OF DEFENCE!!

6 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
GODREJ & BOYCE INITIATIVES

7 I Godrej I Title of presentation I Date


7 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
INITIATIVES TAKEN BY GODREJ

DUE TO THESE RECENT CYBER ATTACKS, IT BECOMES OUR RESPONSIBILITY TO BE MORE


AWARE AND PROTECT OUR ORGANIZATION BY:

Embedding cyber vigilance within our company culture


Staying ahead of these threats by:

Proactive prevention Comprehensive training

Effective detection Structured network

Optimized reporting Increased engagement

Adapted behaviours

8 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
THE GODREJ & BOYCE GUIDELINES

9 I Godrej I Title of presentation I Date


9 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
ACCEPTABLE USAGE OF IT ASSETS GUIDELINES
LAUNCH OF IT ASSETS AND INFORMATION ASSET CLASSIFICATION AND PROTECTION GUIDELINES ACROSS G&B

Acceptable usage of IT assets guidelines Information Asset classification and protection


guidelines
Usage of the Companys information systems
Defining the type of Information assets
Usage of passwords
Classification and treatment of Information Assets
Virus Protection

Electronic Mail (E-mail) and instant messaging

Physical Security

Use of Office Equipment

Internet User Code of Conduct

Acceptable Usage of Social Media

Mobile Device Management Guidelines

10 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
ACCEPTABLE USAGE OF IT ASSETS GUIDELINES
LAUNCH OF IT ASSETS AND INFORMATION ASSET CLASSIFICATION AND PROTECTION GUIDELINES ACROSS G&B

Acceptable usage of IT assets guidelines Information Asset classification and protection


guidelines
Usage of the Companys information systems
Defining the type of Information assets
Usage of passwords
Classification and treatment of Information Assets
Virus Protection

Electronic Mail (E-mail) and instant messaging

Physical Security

Use of Office Equipment

Internet User Code of Conduct

Acceptable Usage of Social Media

Mobile Device Management Guidelines

11 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
USAGE OF THE COMPANYS INFORMATION SYSTEMS
THE KNOW-HOW #1

Authority to utilize the Companys information resources for business purposes only

Downloading, redistribution and printing of copyrighted materials to the Companys information systems strictly prohibited

Disseminating proprietary data or other confidential information in violation of company guidelines is strictly prohibited

Downloading inappropriate material for personal use is strictly prohibited

Users are prohibited from tampering with Companys security systems

Users must ensure that confidential papers, removable storage media as well as laptops are not left unattended on the
work area

Users shall lock their computer systems when they move away from the device

Users shall not share Companys information, classified as confidential or restricted, to a third party unless authorized by
information asset owner

Copyrighted materials belonging to the entities other than Company may not be transmitted by employees

12 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
PASSWORD USAGE

THE KNOW-HOW #2

Do not reveal password in an E-mail message, telephones, on At least 8 Uppercase


characters Letters
questionnaires or security forms or to co-workers while on vacation
Lowercase
Letters
Passwords should not contain the word Godrej or any variants such as
Godrej@123. Passwords should not contain names of any applications or
servers such as speedflow@123
Special Numbers
Users must not use the same password for Company accounts as for other non- Characters

company access

Change passwords at regular intervals & avoid recycling of old passwords

Ensure that they access the system only through their individual user ID and
password and do not allow anyone else to access the system through their
password

Multiple users should not be allowed to access the system through same email ID
The Perfect Password
13 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
EMAIL SECURITY

THE KNOW-HOW #3

Users shall use only their own corporate E-mail account and not allow anyone else to access
their account

No e-mail or other communication should be sent which intentionally hides the identity of the
sender or represents the sender as someone else or someone from another organization

Any messages or information sent by a user to another individual outside via an electronic
network are statements that normally reflect on the Company. Therefore, all such
communication should be done keeping the Company security and image uppermost in mind

E-mail should be used primarily for business purposes

Users shall not send unsolicited bulk mail messages

Forwarding of company email to personal email id is not permitted

14 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
PHYSICAL SECURITY

THE KNOW-HOW #4

Users shall not enter into the Company without ID badges and they shall always display their ID badges
within the Company

Users shall not allow any unauthorized person to accompany them and / or enter the Company without a
proper gate pass

Users shall ensure that any company asset / documents is taken outside the premises following proper
procedures and authorization on appropriate gate pass

Vendors and third party contractors, who are bringing in their own assets for the purpose of official usage
should declare the same at the security checkpoint and get an entry made on the gate pass

The first line of defense for every organization is YOU!

Physical security is the protection of personnel, hardware, software, networks and data from
physical actions and events that could cause serious loss or damage to an enterprise.

15 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
APPROPRIATE USE OF OFFICE EQUIPMENT

THE KNOW-HOW #5

Users shall not reveal sensitive information over the telephone

Making additional copies of or printing of extra copies of confidential


information shall be prohibited

While use of USB storage devices on laptops and desktops shall be allowed,
any unauthorized access would make the employee liable for punitive action

Employees are responsible for data backup at reasonable intervals

Users shall not download any software directly from the Internet

16 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
ACCEPTABLE USAGE OF SOCIAL MEDIA

THE KNOW-HOW #6

Do not forget to verify the source of message before giving out any information

Go slow and pay keen attention to fine details in emails and messages

Never click on embedded links in emails from unknown senders

Never download email attachment from unknown senders

Reject requests for online tech support from strangers no matter how legitimate they may
appear

Secure your computer space with a strong firewall, up to date antivirus software and set
your spam filters too high

Dont forget to verify the website URL

Avoid being greedy on the web

17 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
MALWARE PROTECTION

THE KNOW-HOW #7

Users shall not open any files attached to an E-mail from a suspicious source whose subject
line is questionable

Users shall delete chain / junk E-mails (Spam) and not forward or reply to any of these mails

Employee should provide information about such emails to the DPH / location HR Head/ BCM
for the branches or on email id infosec@godrej.com

Users shall not download any software directly from the Internet

Users must contact the IT helpdesk in case they have any additional specific software
requirements

Users shall not download security programs or utilities that reveal weaknesses in the security

Users shall not bring any personal media for use on Company computer systems

18 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
ACCEPTABLE USAGE OF IT ASSETS GUIDELINES
LAUNCH OF IT ASSETS AND INFORMATION ASSET CLASSIFICATION AND PROTECTION GUIDELINES ACROSS G&B

Acceptable usage of IT assets guidelines Information Asset classification and protection


guidelines
Usage of the Companys information systems
Defining the type of Information assets
Usage of passwords
Classification and treatment of Information Assets
Virus Protection

Electronic Mail (E-mail) and instant messaging

Physical Security

Use of Office Equipment

Internet User Code of Conduct

Acceptable Usage of Social Media

Mobile Device Management Guidelines

19 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
TYPE OF INFORMATION ASSETS

Information Institutionalized information in soft


form

20 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
TYPE OF INFORMATION ASSETS

Information Institutionalized information in soft


form Application Utilities
Software
Systems Software Development Tools

Software Software which is used to support / facilitate the companys business


operations

21 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
TYPE OF INFORMATION ASSETS

Information Institutionalized information in soft


form Application Utilities
Software
Systems Software Development Tools

Software Software which is used to support / facilitate the companys business


operations

Switches Firewalls Desktops Fax Machines


Servers Routers Laptops Printers

Physical Physical devices which are required to support


operations

22 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
TYPE OF INFORMATION ASSETS

Information Institutionalized information in soft


form Application Utilities
Software
Systems Software Development Tools

Software Software which is used to support / facilitate the companys business


operations

Switches Firewalls Desktops Fax Machines


Servers Routers Laptops Printers

Physical Physical devices which are required to support


Agreements Manuals
operations Contracts Invoices

Paper Institutionalized information in physical hard copy


form

23 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
TYPE OF INFORMATION ASSETS

Information Institutionalized information in soft


form Application Utilities
Software
Systems Software Development Tools

Software Software which is used to support / facilitate the companys business


operations

Switches Firewalls Desktops Fax Machines


Servers Routers Laptops Printers

Physical Physical devices which are required to support


Agreements Manuals
operations Contracts Invoices

Paper Institutionalized information in physical hard copy


form

HVAC Fire Detection Systems


UPS Generator Telecommunication
equipment
Service Services / infrastructure which is necessary to ensure smooth operation of the
company

24 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
DATA CLASSIFICATION
HOW & WHAT TO CLASSIFY
Classification Treatment of Information
Criteria for Classification
Category Assets
Most valuable company information which could be
disclosed only to concerned personnel
Should be handled only by
Its unauthorized disclosure could have adverse impact
Critical limited employees
on operations, stakeholders, business partners and/or
Modification should be
customers
authorized by relevant authority
Leading to legal and financial repercussions and
adverse public opinion
Valuable information which could be disclosed only to
Shared amongst only company
Restricted identified personnel only within the company
employees
While its unauthorized disclosure is against the
Enhance sharing of best
guideline, it is not expected to adversely impact the
practices
company

Information which can be shared freely with personnel It may be freely disseminated
Public outside the company without potential harm

25 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
SCENARIO #1:

I have received a Financial Statement from the Head of the Business Unit. Can I share it with my
EXAMPLES
colleagues, or make changes?

Financial Statement would be a Critical document. It should be handled only by


limited employees and you should not share it with anybody, unless specifically
informed by the Head of the Business Unit. Any changes to such a document can only
be made by relevant authority for the identified personnel only

26 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
SCENARIO #2:

I have received a SOP, from my superior, which can be adopted as a best practice
withinEXAMPLES
the Business Unit. Can I share it with my colleagues in other Business Units?

Standard Operating Procedure (SOP), is a Restricted document. After taking


permission from relevant authorities, this may be shared within the same Business Unit
or within the Company

27 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
TYPES OF CYBER SECURITY
THREATS

28 I Godrej I Title of presentation I Date


28 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
MALWARE

29 I Godrej I Title of presentation I Date


29 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
CONTENT - MALWARE

Malware

What is Malware?

Statistics 2016

Different Types of Malware

Malware Symptoms

How to prevent it?

The Cure

The Instances

30 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
Short for "malicious software, malware refers to software programs designed to damage
or do other unwanted actions on a computer system

Malware is often used against individuals to gain information such as personal


identification numbers or details, bank or credit card numbers, and passwords. Left
unguarded, personal and networked computers can be at considerable risk against these
threats

It can cause havoc on a computer's hard drive by deleting files or directory information.
Spyware can gather data from a user's system without the user knowing it

31 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
MALWARE STATISTICS

32 I Godrej I Title of presentation I Date


32 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
INFOGRAPHIC DEPICTING REVENUE MODEL OF MALWARE IN 2016

33 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
MALWARE INFECTED AREAS:

34 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
TYPES OF MALWARE

35 I Godrej I Title of presentation I Date


35 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
Virus

Worm
Ransomware

Malware
Rootkit Trojan

36 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
VIRUS

A virus is a contagious program or code that attaches itself to another piece of

software, and then reproduces itself when that software is run. Most often this is
spread by sharing software or files between computers

37 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
WORM

A program that replicates itself and destroys data and files on the computer. Worms

work to eat the system operating files and data files until the drive is empty

38 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
TROJAN

The most dangerous Malware. Trojans are written with the purpose of discovering

your financial information, taking over your computers system resources, and in
larger systems creating a denial-of-service attack

Denial-of-service attack: An attempt to make a machine or network resource

unavailable to those attempting to reach it. Example: AOL, Yahoo or your


business network becoming unavailable

39 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
ROOTKIT

This one is likened to the burglar hiding in the attic, waiting to take from you while you

are not home

It is the hardest of all Malware to detect and therefore to remove

Many experts recommend completely wiping your hard drive and reinstalling everything

from scratch

It is designed to permit the other information gathering Malware in to get the identity

information from your computer without you realizing anything is going on

40 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
RANSOMWARE

If you see this screen that warns you that you have been locked out of your computer
until you pay up. Your system is severely infected with a form of Malware called
Ransomware

It is not a real notification from law enforcement agency, but, rather an infection of the
system itself

Even if you pay to unlock the system, the system is unlocked, but you are not free of it
locking you out again. The request for money, usually in the hundreds of dollars is
completely fake

41 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
SYMPTOMS OF
MALWARE

42 I Godrej I Title of presentation I Date


42 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
THE EARLY SIGNS

While these types of malware differ greatly in how they spread and infect computers, they all can produce
similar symptoms. Computers that are infected with malware can exhibit any of the following symptoms:
Increased CPU usage

Slow computer or web browser speeds

Problems connecting to networks

Freezing or crashing

Modified or deleted files

Appearance of strange files, programs, or desktop icons

Programs running, turning off, or reconfiguring themselves (malware will often reconfigure or turn off
antivirus and firewall programs)
Strange computer behaviour

Emails/messages being sent automatically and without users knowledge (a friend receives a strange
email from you that you did not send)

43 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
HOW TO PREVENT?

44 I Godrej I Title of presentation I Date


44 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
PREVENTION IS BETTER THAN CURE

Purchase and maintain anti-virus software: It is important to only use one anti-virus program, in addition to

performance issues, the programs may conflict causing connection and security problems. Be sure to
keep your security solution up-to-date, out of date security is useless

Keep up-to-date: It is important to download and install all updates for software you are using. Windows

updates should be downloaded and installed when available. These updates often patch security holes.
Installing updates for other applications such as Adobe, Java, and media players should also be installed.
These program updates may also improve the security of these applications

Site Advisor: These programs alert you to the risk level of a website before you enter it. You should also

steer clear of high risk websites such as sites containing pirated software downloads and adult only
material. These sites can contain malicious code

45 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
START WITH PREVENTION!

File Sharing Sites: The files shared on these sites can be fraudulent. Often you

believe you are downloading your favourite song when in reality it is malware or a
virus. Installing these programs often opens a tunnel for any type of program to
execute on your PC

Scan: Periodically scan your computer for malware. These programs can detect and

remove even minor malware threats

Beware of e-mail: Dont open e-mail from strangers. You wouldnt let a stranger in your

house so do not let them into your computer. Also beware of unexpected e-mail
attachments that you are not expecting

46 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
DONT CATCH THE COLD!

Stay legit: Pirated and cracked software can contain malware and often prohibits the

software from obtaining updates. Pirated software could also contain keyloggers,
spyware, or other malicious code

Think before you click: Even legitimate websites can contain ads or links that will

forward you to higher risk websites. Social networking sites such as MySpace or
Facebook may display messages tempting you to click a link, such as click here for a
picture of your friend. These links often forward you to a bogus website

47 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
THE CURE

48 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
DO NOT PANIC!

Back Up Your Personal Files

Disconnect From The Internet

Boot In Safe Mode Or With A Live Antivirus Rescue Disk: By booting in Safe Mode, youre able

to prevent any non-core components from running, allowing you to isolate problems easier. To
do this, restart your computer, and press and hold the F8 key while your computer starts up.
The first option, Safe Mode, should be already selected, but if not, you can navigate to it with
your arrow keys. Then press Enter. Once youre in Safe Mode, you can continue the malware-
removal process

Change Your Passwords

Report to your concerned IT/Cybersecurity department

49 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
THE INSTANCES

50 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
51 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
Never trust a random pop up ad
that hasnt been validated by
your existing anti-virus software

52 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
53 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
Avoid clicking on such
claims as they are
always likely to contain
some form of malware!

54 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
55 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
This is a hidden Jotform link

56 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
SOCIAL ENGINEERING

57 I Godrej I Title of presentation I Date


57 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
CONTENT SOCIAL ENGINEERING

What is Social Engineering?

Statistics 2016

Types of Attacks

What not to do!

Scenarios

Conclusion

58 I Godrej I Title of presentation I Date


58 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
AN ATTACK ON YOUR PSYCHE!

Social engineering is an attack vector that relies heavily on human interaction and often
involves tricking people into breaking normal security procedures

59 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
STATISTICS 2016

60 I Godrej I Title of presentation I Date


60 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
61 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
TYPES OF ATTACKS

62 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
Types of Attacks

PRETEXTING

63 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
BAITING

Baiting is when an attacker leaves a malware-infected physical device, such as a USB flash

drive in a place it is sure to be found

The finder then picks up the device and loads it onto his or her computer, unintentionally

installing the malware

64 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
PHISHING

Phishing is when a malicious party sends a fraudulent email disguised as a

legitimate email, often purporting to be from a trusted source

The message is meant to trick the recipient into sharing personal or

financial information or clicking on a link that installs malware

65 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
PRETEXTING

Pretexting is when one party lies to another to gain access to privileged data

For example, a pretexting scam could involve an attacker who pretends to need

personal or financial data in order to confirm the identity of the recipient

66 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
SCAREWARE

Scareware involves tricking the victim into thinking his computer is infected with

malware or has inadvertently downloaded illegal content

The attacker then offers the victim a solution that will fix the bogus problem; in reality,

the victim is simply tricked into downloading and installing the attacker's malware

67 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
SCENARIOS

68 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
SCENARIO #1:
THE PENTESTER DECIDED TO PHISH FOR AN UNLISTED EMAIL ADDRESS OF A CFO IN THE AT-RISK COMPANY.
HE STARTS BY CALLING THE CFOs ADMINISTRATIVE ASSISTANT:

Assistant: Locks International, this is Asha, how can I help you?

Phisher: Hi Asha, this is Amit, Im a new hire down in Budgets trying to update some contact lists. Do you

have Mr. Rahul Marolias email address for our records?

Assistant: I do, but thats not often given out, you can just use my address for most things it is

Asha@LI.com

Phisher: I know that, but Im being put through the ringer down here and I was supposed to have this on

my managers desk an hour ago and now he keeps checking up on me and I just started this job and Ive

Assistant: All right, I understand, you can calm down. The email address is CFO@LI.com

This scenario may seem far-fetched in written form, but change a few names and it quickly becomes real
life

69 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
SCENARIO #2:
THE PENTESTER WANTS TO ENTER THE BUILDING WITHOUT PROPER ACCESS RIGHTS. AFTER DAYS
OF STANDING OUTSIDE A SECURE ENTRANCE TO ACME, LOOKING ANXIOUS, THE PENTESTER FEELS
THE TIME IS RIGHT. HE RECOGNIZES A MAN WHO OFTEN COMES THROUGH THIS ENTRANCE AND
APPROACHES HIM:

Pentester: Its been a hell of a week huh?

Man: Yea, I guess it has.

Pentester: I left my ID in my car, and my cars in the shop I guess you really SHOULD get an oil
change every 3000 kms.
Man: Ha! Yea, I guess you should.

As the man walks inside, he holds the door open for the pentester.

The man might have been suspicious of the pentester at first, but hes seen him around, and he
shared a bit of his personal life. He even made a joke. That connection stirred some compassion and
let him in the door

70 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
SCENARIO #3:

When was the last time someone said something like, Yea! It was like in that one cricket match, India vs Eng, oh, what was

that cricketers name? He scored 300, just like Sehwag? or something along those lines and you blurt out Karun Nair! to
much celebration and mild envy from a friend whos clearly deficient in knowing great actors from awesome movies.

People like to be smart. Theres no shame in it. Thats why trivia games exist, people watch Jeopardy and most of us have

filled in at least one Sudoku book in our lives. We especially like being smart when we can get recognized for it.

Now, think about when someone calls saying Im trying to call, whatsername, in accounting who stays at Thane and you

suddenly share the name of a person in accounting. That might earn celebration from the engineer on the other end of the
phone, but your impulses just gave something away.

For one week, write down every urge you have to blurt out information someones seeking or struggling to remember. Youre

not likely to actually write these down, but every time it happens, itll make you think for a second. Try it its creepy how
often it comes up.

71 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
PAY CLOSER ATTENTION

When youre in any situation good or bad step back and look at it objectively. Notice what
information is moving, what favors are being done, why its important, what the implications are if the
information moves or if the favor is granted and what the best and worst outcomes of the situation are.
If you really look at situations, many can start to seem a little fishy:

Why is this guy in Budget making a contact list?

How come the guy outside the building hasnt gone to the auto shop to get his ID when he needs it
every day?
Why cant he remember her name when everyone knows her?

Those questions could have been pivotal, if the people in the scenarios above had taken a step back.
Social engineering attacks are dangerous. Not because we need to remember harder passwords or
remember our IDs at work, but because they dont require a change in knowledge. Changes in
knowledge are actually easy to adapt to. There are tricks to remembering things.
Stopping these attacks requires a change in behavior and there arent any tricks to make that easy.
Changes in behavior require changes in mindsets and paying closer attention.

72 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
PHISHING

73 I Godrej I Title of presentation I Date


73 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
CONTENT PHISHING

What is Phishing?

How does it work?

Phishing Link Detection

Types of Phishing

Current Trends

How to avoid getting caught?

What to do when Fraud happens to me?

74 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
WHAT IS PHISHING?

The act of sending an email to a user falsely claiming to be an established, legitimate


enterprise, in an attempt to scam the user into surrendering private information that will
be used for identity theft

75 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
Targeted attacks through phishing especially in large corporates is real and
growing at an alarming rate.

These are some of the statistics of 2016:

85 percent of organizations have suffered phishing attacks!

76 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
UNIQUE PHISHING SITES DETECTED OCTOBER 2015 MARCH 2016

250% surge in phishing detected in Q1 2016!

77 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
NUMBER OF PHISHING EMAILS OPENED & CLOSED IN FIRST 24 HOURS

30% of phishing emails get opened!


That is the kind of open rate that marketers would kill for!

78 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
HOW DOES IT WORK?

Attackers use different methods of deception as phishing strategies

They will create fake messages and websites, that imitate the original ones and try to lure you
into handing over your personal information
They will either ask you to reply to them, follow a link included in the message or download an
attachment
In order to make phishing look genuine, attackers include photos and information from the
original website
They may even redirect you to the companys website and collect the data through a false
pop-up window. Or it can happen the other way around: they first request your personal data,
then redirect you to the real website
Other times, they tell you that you have been targeted by a scam and that you urgently need to
update your information in order to keep your account safe

79 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
DETECTING PHISHING LINKS

Criminally fraudulent process of attempting to acquire sensitive information


(usernames, passwords, credit card details) by masquerading as a trustworthy entity
in an electronic communication

Commonly used means:


Social web sites
Auction sites
Online payment processors
IT administrators

80 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
81 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
82 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
83 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
84 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
85 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
86 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
87 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
TYPES OF PHISHING

88 I Godrej I Title of presentation I Date


88 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
SPEAR PHISHING

Spear phishing is an email directed at specific individuals or companies. It is highly effective and very

well planned

The attackers will take their time and gather all the available information about their target before the

attack: personal history, interests, activities, details about colleagues and any other details they can
find. These are used in order to create a highly personalized and believable email

Its a technique that works because the phishing email appears to be from someone you know and

requires urgent action

Spear phishing requires higher efforts, but its success rates are also higher. Its currently the most

successful phishing technique, accounting for 95% of the attacks

And all this just by gathering publicly available information that we freely share on our social media

accounts and blogs

89 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
EXAMPLE

90 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
WHALE PHISHING

Whale phishing is the term used for attacks directed at high profile targets within
companies, such as upper management or senior executives

These are tailored to appear as critical business email, sent from a legitimate
business authority, that concern the whole company

Here are a few examples: legal subpoenas, managerial issues, consumer complaints

Needless to say that return on investment for attackers is very high in this case. And,
contrary to what youd think, these types of targets are not always as security savvy or
protected as they should be

91 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
EXAMPLE

92 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
CLONE PHISHING

Clone phishing uses legitimate, previously delivered emails

The cyber attackers will use original emails to create a cloned or almost identical
version

Clone phishing emails may claim to be a resend of the original or an updated version
of it

Only this time, the attachment or link is replaced with a malicious version. It appears
to come from the original sender and uses a fake reply-to address

This phishing strategy works because it exploits the trust created from the original mail

93 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
EXAMPLE

94 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
CURRENT PHISHING TRENDS

95 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
CURRENT TRENDS

Cloud Phishing: IT attacks also had a boost in the past year, because of the increasing usage of

cloud storage technology. This is usually distributed via email or social media, as a message sent by
compromised friends accounts or on behalf of a cloud service provider. The stolen information can be
used for extortion, sold to third parties or used in targeted attacks

Government Phishing: Be vigilant when it comes to communications that claim to be from law

enforcement agencies, such as the IRS, FBI or any other entity. The most fraudulent attempts in the
past years were created to mimic IRS communication, in an attempt to steal your financial information

Social Media Phishing: Phishers create websites that look identical to Facebook or LinkedIn or any

other social media websites, using similar URLs and emails, in an attempt to steal login information.
The attackers can then use this to access your account and send messages to friends, to further
spread the illegitimate sites

96 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
HOW TO AVOID THE BAIT!

97 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
HOW TO AVOID GETTING CAUGHT IN THE PHISH NET?

Clue #1: Sender details


First thing to check: the senders email
address
Look at the email header. Does the
senders email address match the name
and the domain?
Spoofing the display name of an email, in
order to appear to be from a brand, is one
of the most basic phishing tactics

98 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
HOW TO AVOID GETTING CAUGHT IN THE PHISH NET?

Clue #2: Message Content


They ask you to send them or verify
personal information via email. They are
likely to play on your emotions or
urgency
As a general rule, be suspicious of any
mail that has urgent requests (e.g.
respond in two days otherwise you will
lose this deal), exciting or upsetting
news, offers, gift deals or coupons
(especially around major holidays or
events, such as Diwali or New Year)

99 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
HOW TO AVOID GETTING CAUGHT IN THE PHISH NET?

Clue #3: They claim there was some sort


of problem with your recent purchase or
delivery and ask you to resend personal
information or just click on a link to resolve
it
Banks or legitimate e-Commerce
representatives will never ask you to do
that, as its not a secure method to transmit
such information

100 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
HOW TO AVOID GETTING CAUGHT IN THE PHISH NET?

Clue #4: Look out for attachments

They can attach other types of files, such as PDF or DOC, that contain links. Or they
can hide malware. Other times, they can cause your browser to crash while installing
malware

Clue #5: External links / websites

Lets assume that you already clicked on a link from a suspicious email. Is the domain
correct? Dont forget that the link may look identical, but use a variation in spelling or
domain

101 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
FOLLOW THESE RULES

First rule: Beware of bogus or misleading links

Hover your mouse over the links in the email message in order to check them BEFORE clicking on them

The URLs may look valid at a first glance, but use a variation in spelling or a different domain ( .net
instead of .com, for example)
Second rule: Look out for IP address links or URL shortners

They can take a long URL, shorten it using services such as bit.ly, and redirect it to the intended
destination
Third rule: Beware of typos or spelling mistakes

Fourth rule: Beware of amateurish looking designs

This means: images that dont match the background or look formatted to fit the style of the email. Photos
or logos uploaded at low resolution or bad quality
Fifth rule: Beware of missing signatures

Lack of details about the sender or how to contact the company points into phishing direction. A legitimate
company will always provide such information

102 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
WHAT TO DO IF YOU THINK YOU WERE PHISHED?

If you have a hunch that something is wrong, immediately contact your bank or credit
card institution and close the accounts you believe may have been compromised

Change the passwords used for those accounts and then also change the passwords
used for the emails linked to them

Report to the concerned cybersecurity personnel or the IT department if you think your
PC has been breached

Conclusion:
One last advice: always trust your instinct. It may not be the most scientific approach,
but, ultimately, you should just listen to what your intuition tells you. If something feels
wrong, even if you cannot specifically explain why, or if its too good to be true, its better
to stay away from it

103 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
WHOM TO CONTACT IN CASE OF A VIOLATION??

Users are encouraged to consult the following people - the Cyber Security Champions
whenever they need clarifications about the guidelines or about how to act in a particular situation:

a. Divisional Personnel Head (DPH)


b.Location Human Resource Head (LHRH) for upcountry factories Branch
c. Commercial Manager (BCM) for the branches
d. Manager Information Security (Vikhroli)
e. Manager Information Security or on email id infosec@godrej.com

104 I Godrej I Cyber Security: E-Learning Training Module Restricted; Not for Circulation
Now that you have understood the module, lets go through a
short quiz to gauge your understanding.
Please click on the Exit Module tab on the top right hand side.
Post that click on the Main Menu tab to return to the home
screen and take the quiz.