Resources

Information Classification

What is it?

Information classification is an on-going risk management process that helps identify critical information assets - data, records, files - so that appropriate information security controls can be applied to protect them.  It is the cornerstone of an effective and efficient business-aligned information security program. 

Your agencies retain a wide variety of information assets, many of which are sensitive and/or critical to your mission and business functions and services.  Information is being accessed through, and maintained in, a wider variety of formats and environments. If you do not know what information assets you have, their value to the business, and where they are stored, how can you assure they are protected properly?

More info...


Secure System Development Life Cycle Standard

The Secure Systems Development Lifecycle (SSDLC) defines security requirements and tasks that must be considered and addressed within every system, project or application that are created or updated to address a business need. The SSDLC is used to ensure that security is adequately considered and built into each phase of every system development lifecycle (SDLC).

The SSDLC toolkit was developed to assist project, systems and application teams in collecting the appropriate artifacts and documentation to fulfill the security tasks in the SSDLC standard (NYS-S13-001). The security tasks within the SSDLC are easily mapped back to the phases in most SDLC and should be used as a guideline to initiation of the security tasks.

More info...

Phishing Attacks - Are You at Risk?

One of the most common online scams is called phishing.  Phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by masquerading as a trustworthy entity.  Online scammers will pose as legitimate businesses, organizations, or individuals.  If they are able to gain the trust of their victims, they can leverage this trust to convince victims to willingly give up information or click on malicious links or attachments. Online scammers can make their communications appear to be those of legitimate businesses or organizations, by spoofing the email address (i.e., email with a forged sender address), creating a fake website with legitimate logos, and even providing phone numbers to an illegitimate customer service center operated by the scammers.

Two common types of phishing attacks:

  • Phishing Email One of the best known forms of phishing is an email scam.  An email, purporting to be from a popular company or organization, may ask you to click on a link in order to fix a problem with your account.  In other instances, the email message may threaten to close your account if you do not respond.    Scammers often use threats that your security has been compromised in order to increase the likelihood that the recipient will respond.
  • Spear Phishing - Spear phishing is a personalized email attack in which a specific organization or individual is targeted. These attacks are prepared using information about an individual to make the email appear to be legitimate and induce the recipient to divulge sensitive information or download a malicious file. Such attack preparation is often based on extensive information gathering on the targets and has become one of the favored methods used in cyber espionage.

Phishing scams can be difficult to identify, however being aware of the threat and being vigilant in examining emails can reduce the risk that you will fall prey to such an attack.

Recommendations:

  • Be cautious about all communications you receive, including those that purport to be from "trusted entities." Be careful when clicking any links contained within those messages. If in doubt, do not click.
  • Do not send your personal information via email.  Legitimate businesses will not ask users to send sensitive personal information through email.
  • Keep an eye out for telltale signs: poor spelling or grammar, the use of threats, or the URL does not match that of the legitimate site.
  • Be wary of how much information you post online.  The less information you post, the less data you make available to a cybercriminal for use in developing a potential attack or scam.

Additional Resources:

Phishing Awareness Quiz Resources:

These links are provided because they have information that may be useful. The NYS Chief Information Security Office (CISO) and the State of New York do not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CISO or the State of New York.

Ransomware

Ransomware is a type of malware that attempts to deny access to a user's data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.

What can you do? 

Be Prepared!

  • Create, maintain, and exercise a basic cyber incident response plan
  • Create and maintain and communications plan that includes response and notification procedures for a ransomware incident
  • Conduct regular vulnerability scanning
  • Regularly patch and update software 
  • Ensure devices are properly configured and security features enabled
  • Maintain best practices for remote desktop services
  • Consider using an intrusion detection system
  • Have a cyber security awareness plan to keep employees up to date on phishing, malware and other common ransomware avenues
  • Utilize multi-factor authorization
  • Apply principle of least privilege to all systems and services
  • Keep network logs and analyze activity

Want to learn more? 

Ransomware: What It Is and What to Do About it

Ransomware (CISA)

MS-ISAC Security Primer: Ransomware

MS-ISAC Ransomware: Facts, Threats, and Countermeasures

CISA Ransomware Guide

CISA Ransomware Training

 

 

Government Security Sites

National Information Sharing and Analysis Center

Security Resources

These links are provided because they have information that may be useful. The NYS Chief Information Security Office (CISO) and the State of New York do not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CISO or the State of New York.

Multi-Factor Authentication

What is MFA?

Multi-Factor Authentication (MFA) is a security feature that requires two or more unique factors to verify a user's identity. This technology validates that the user is the expected account holder or device owner, providing an extra layer of protection against unauthorized access.

Why Use MFA?

  • Using MFA will reduce risk to both you and the owner of the site or service you are accessing.
  • MFA helps guard against fraudulent online activities like phishing scams and identity theft.
  • MFA is more secure than Single-Factor Authentication (SFA), which is usually a username and password. If someone knows these factors, they could have full access to your account, your email, your files, and even the networks you access.
  • With MFA in place, if your username and password are stolen, protected services cannot be accessed without the dynamic additional "factor" or code.

How do I enable MFA?

To enable MFA:

  • Check the security settings on accounts you use; there are different options that MFA may be listed under, such as:
    • Two Factor Authentication
    • Multi-Factor Authentication
    • Two-Step Verification

Here are some common methods of additional authentication:

Text Message (SMS) or Email: When you login to an account, the service will send a code to your phone or email account, which you then use to login. Note that this SMS/mail is the weakest form of MFA, and you should only use it if none of the other options are available.

Token Authentication: A token can be provided either via hardware (usually a small, keychain-sized device with a digital screen) or software. It is assigned to a user and generates a dynamic authentication code at fixed intervals.

Authenticator App: A type of token, an authenticator app generates MFA login codes on your smartphone. When prompted for your MFA code, launch the app and type in the displayed number. These codes often expire every 30 or 60 seconds.

Push Notification: Instead of using a numeric code, the service "pushes" a request for access to your phone. You can approve the request via the pop-up notification or deny it if you did not initiate the authentication request.

FIDO Authentication: FIDO stands for "Fast Identity Online" and is the gold standard of MFA. The FIDO protocol is built into all major browsers and phones. It can use secure biometric authentication mechanisms - such as facial recognition, a fingerprint, or voice recognition - and is built on a foundation of strong cryptography. Often it uses a physical device called a "key," which is essentially an encrypted version of a key to your house. Learn more about FIDO keys from the FIDO Alliance.

Want to learn more about MFA? 

CISA.gov: Multi-Factor Authentication

Set up multifactor authentication for Microsoft 365

NIST.gov: Multi-Factor Authentication