Resources

Password Security

Ensure that you have a strong password to protect access to your device and data. A strong password protects you, your employer, your colleagues and your clients.  The National Institute of Standards and Technology (NIST) has revised its password guidelines to acknowledge that length is the most important aspect of a good password. Creating a strong password may seem like a daunting task but by following a few best practices you can create an easy to remember and secure password.

  • DO use a passphrase
  • Think of a phrase and then use the first letters of each word to create a complex password that is more memorable. For example, the phrase, "My jersey number when I played college soccer senior year was 27!" can be used to remember the password, "Mj#wIpcssyw27!".
  • Avoid common phrases, famous quotations, and song lyrics.
  • Use a sentence rather than a word. Ex. I love cyber security. Replace letters with numbers and special characters to make it more complex and harder to guess: Ex. I <3 cyber securt!
  • Use a string of unrelated words that have meaning to you. Ex. December Glassware Forest Haircut
  • DO use a unique password for each account.
  • DO use complex passwords and change them in accordance with your agencies' policy.
  • DO NOT use personal information associated with you or your family that could be looked up on the internet (e.g., names, phone numbers).
  • DO NOT use repetitive or sequential characters.
  • DO NOT use simple, easy to guess words.
  • DO NOT reuse your personal passwords for work purposes.
  • DO NOT accept "remember my password" or autofill prompts. 
  • DO NOT share your password with others, including friends and family.

For more information visit the following resources:

https://www.cisecurity.org/blog/cis-password-policy-guide-passphrases-monitoring-and-more/

https://us-cert.cisa.gov/ncas/tips/ST04-002

https://staysafeonline.org/stay-safe-online/securing-key-accounts-devices/passwords-securing-accounts/

https://www.sans.org/security-awareness-training/best-password-practices

https://www.sans.org/security-awareness-training/resources/making-passwords-simple

https://www.fbi.gov/video-repository/protected-voices-passphrases-and-mfa-102319.mp4/view

https://krebsonsecurity.com/password-dos-and-donts/

 

 

Information Classification

What is it?

Information classification is an on-going risk management process that helps identify critical information assets - data, records, files - so that appropriate information security controls can be applied to protect them.  It is the cornerstone of an effective and efficient business-aligned information security program. 

Your agencies retain a wide variety of information assets, many of which are sensitive and/or critical to your mission and business functions and services.  Information is being accessed through, and maintained in, a wider variety of formats and environments. If you do not know what information assets you have, their value to the business, and where they are stored, how can you assure they are protected properly?

More info...


Secure System Development Life Cycle Standard

The Secure Systems Development Lifecycle (SSDLC) defines security requirements and tasks that must be considered and addressed within every system, project or application that are created or updated to address a business need. The SSDLC is used to ensure that security is adequately considered and built into each phase of every system development lifecycle (SDLC).

The SSDLC toolkit was developed to assist project, systems and application teams in collecting the appropriate artifacts and documentation to fulfill the security tasks in the SSDLC standard (NYS-S13-001). The security tasks within the SSDLC are easily mapped back to the phases in most SDLC and should be used as a guideline to initiation of the security tasks.

More info...

Phishing Attacks - Are You at Risk?

One of the most common online scams is called phishing.  Phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by masquerading as a trustworthy entity.  Online scammers will pose as legitimate businesses, organizations, or individuals.  If they are able to gain the trust of their victims, they can leverage this trust to convince victims to willingly give up information or click on malicious links or attachments. Online scammers can make their communications appear to be those of legitimate businesses or organizations, by spoofing the email address (i.e., email with a forged sender address), creating a fake website with legitimate logos, and even providing phone numbers to an illegitimate customer service center operated by the scammers.

Two common types of phishing attacks:

  • Phishing Email One of the best known forms of phishing is an email scam.  An email, purporting to be from a popular company or organization, may ask you to click on a link in order to fix a problem with your account.  In other instances, the email message may threaten to close your account if you do not respond.    Scammers often use threats that your security has been compromised in order to increase the likelihood that the recipient will respond.
  • Spear Phishing - Spear phishing is a personalized email attack in which a specific organization or individual is targeted. These attacks are prepared using information about an individual to make the email appear to be legitimate and induce the recipient to divulge sensitive information or download a malicious file. Such attack preparation is often based on extensive information gathering on the targets and has become one of the favored methods used in cyber espionage.

Phishing scams can be difficult to identify, however being aware of the threat and being vigilant in examining emails can reduce the risk that you will fall prey to such an attack.

Recommendations:

  • Be cautious about all communications you receive, including those that purport to be from "trusted entities." Be careful when clicking any links contained within those messages. If in doubt, do not click.
  • Do not send your personal information via email.  Legitimate businesses will not ask users to send sensitive personal information through email.
  • Keep an eye out for telltale signs: poor spelling or grammar, the use of threats, or the URL does not match that of the legitimate site.
  • Be wary of how much information you post online.  The less information you post, the less data you make available to a cybercriminal for use in developing a potential attack or scam.

Additional Resources:

Phishing Awareness Quiz Resources:

These links are provided because they have information that may be useful. The NYS Chief Information Security Office (CISO) and the State of New York do not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CISO or the State of New York.

The New York State Office of Information Technology Services Chief Information Security Office (CISO) is dedicated to the protection of the State's cyber security infrastructure and can be a valuable resource for small- and medium-sized businesses. This page is designed to provide you with useful cyber security awareness information, much of it in the form of free resources. The CISO invites you to review the information presented below to improve your business' cyber posture and cyber preparedness. 

Why Do Anything?

The Internet, portable devices (e.g., smartphones, tablets, laptops, thumb drives), social media, and email are integral to our daily activities. However, their usage brings associated risks to the information within our organizations. Employers and employees need to be aware of these risks, understand the cyber threats and vulnerabilities, and take appropriate steps to protect the information entrusted to their care. By working together we can collectively improve our State's cyber security posture and cyber preparedness.

  • Federal Communications Commission (FCC) Small Biz Cyber Planner 2.0

    The FCC's Small Biz Cyber Planner 2.0 tool can be used to create a custom cyber security planning guide for your business. Use this tool to create and save a custom cyber security plan, choosing from a menu of topic areas, to address your specific business needs and concerns.
  • U.S. Chamber of Commerce Internet Security Essentials for Business 2.0

    The Toolkit explores cybersecurity threats that businesses face and offers a series of solutions and resources to mitigate these threats. The Business guide addresses common online risks and suggests actions that business owners, managers, and employees can take to improve the cybersecurity of their companies.

For additional cyber security awareness resources and information, visit Awareness/Training/Events.

Government Security Sites

National Information Sharing and Analysis Center

Security Resources

These links are provided because they have information that may be useful. The NYS Chief Information Security Office (CISO) and the State of New York do not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CISO or the State of New York.