What is it?
Information classification is an on-going risk management process that helps identify critical information assets - data, records, files - so that appropriate information security controls can be applied to protect them. It is the cornerstone of an effective and efficient business-aligned information security program.
Your agencies retain a wide variety of information assets, many of which are sensitive and/or critical to your mission and business functions and services. Information is being accessed through, and maintained in, a wider variety of formats and environments. If you do not know what information assets you have, their value to the business, and where they are stored, how can you assure they are protected properly?
Secure System Development Life Cycle Standard
The Secure Systems Development Lifecycle (SSDLC) defines security requirements and tasks that must be considered and addressed within every system, project or application that are created or updated to address a business need. The SSDLC is used to ensure that security is adequately considered and built into each phase of every system development lifecycle (SDLC).
The SSDLC toolkit was developed to assist project, systems and application teams in collecting the appropriate artifacts and documentation to fulfill the security tasks in the SSDLC standard (NYS-S13-001). The security tasks within the SSDLC are easily mapped back to the phases in most SDLC and should be used as a guideline to initiation of the security tasks.
Phishing Attacks - Are You at Risk?
One of the most common online scams is called phishing. Phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by masquerading as a trustworthy entity. Online scammers will pose as legitimate businesses, organizations, or individuals. If they are able to gain the trust of their victims, they can leverage this trust to convince victims to willingly give up information or click on malicious links or attachments. Online scammers can make their communications appear to be those of legitimate businesses or organizations, by spoofing the email address (i.e., email with a forged sender address), creating a fake website with legitimate logos, and even providing phone numbers to an illegitimate customer service center operated by the scammers.
Two common types of phishing attacks:
- Phishing Email - One of the best known forms of phishing is an email scam. An email, purporting to be from a popular company or organization, may ask you to click on a link in order to fix a problem with your account. In other instances, the email message may threaten to close your account if you do not respond. Scammers often use threats that your security has been compromised in order to increase the likelihood that the recipient will respond.
- Spear Phishing - Spear phishing is a personalized email attack in which a specific organization or individual is targeted. These attacks are prepared using information about an individual to make the email appear to be legitimate and induce the recipient to divulge sensitive information or download a malicious file. Such attack preparation is often based on extensive information gathering on the targets and has become one of the favored methods used in cyber espionage.
Phishing scams can be difficult to identify, however being aware of the threat and being vigilant in examining emails can reduce the risk that you will fall prey to such an attack.
- Be cautious about all communications you receive, including those that purport to be from "trusted entities." Be careful when clicking any links contained within those messages. If in doubt, do not click.
- Do not send your personal information via email. Legitimate businesses will not ask users to send sensitive personal information through email.
- Keep an eye out for telltale signs: poor spelling or grammar, the use of threats, or the URL does not match that of the legitimate site.
- Be wary of how much information you post online. The less information you post, the less data you make available to a cybercriminal for use in developing a potential attack or scam.
- Anti-Phishing Working Group: http://www.antiphishing.org/resources/overview/avoid-phishing-scams
- Federal Trade Commission: https://www.consumer.ftc.gov/articles/0003-phishing
Phishing Awareness Quiz Resources:
- OnGuardOnline.gov Phishing Scams (Game): http://www.onguardonline.gov/media/game-0011-phishing-scams
- OpenDNS Phishing Quiz:https://www.opendns.com/phishing-quiz/
- SonicWALL Phishing IQ Test: http://www.sonicwall.com/phishing/
These links are provided because they have information that may be useful. The NYS Enterprise Information Security Office (EISO) and the State of New York do not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of EISO or the State of New York.
The New York State Office of Information Technology Services Enterprise Information Security Office (EISO) is dedicated to the protection of the State's cyber security infrastructure and can be a valuable resource for small- and medium-sized businesses. This page is designed to provide you with useful cyber security awareness information, much of it in the form of free resources. The EISO invites you to review the information presented below to improve your business' cyber posture and cyber preparedness.
Why Do Anything?
The Internet, portable devices (e.g., smartphones, tablets, laptops, thumb drives), social media, and email are integral to our daily activities. However, their usage brings associated risks to the information within our organizations. Employers and employees need to be aware of these risks, understand the cyber threats and vulnerabilities, and take appropriate steps to protect the information entrusted to their care. By working together we can collectively improve our State's cyber security posture and cyber prepardness.
- Federal Communications Commission (FCC) Small Biz Cyber Planner 2.0
The FCC's Small Biz Cyber Planner 2.0 tool can be used to create a custom cyber security planning guide for your business. Use this tool to create and save a custom cyber security plan, choosing from a menu of topic areas, to address your specific business needs and concerns.
- U.S. Chamber of Commerce Internet Security Essentials for Business 2.0
The Toolkit explores cybersecurity threats that businesses face and offers a series of solutions and resources to mitigate these threats. The Business guide addresses common online risks and suggests actions that business owners, managers, and employees can take to improve the cybersecurity of their companies.
- U.S. Department of Homeland Security, Stop.Think.Connect. Small Business Resources
Find resources and materials to keep your small business cyber secure.
- National Cyber Security Alliance, StaySafeOnline.org
Keep your business, employees, and customers safe from online attacks, data loss, and other threats with these tip sheets, infographics, and other resources.
For additional cyber security awareness resources and information visit Awareness / Training / Events.