Topic 1: Introduction to Information Security

E – Learning Course Information

OBJECTIVES

1. To introduce and define information and information

security.
2. To demonstrate the importance of information security,
the role employees have to play and its impact.
3. To illustrate the different types of cyber criminals that can
jeopardise our information security.
4. To highlight the different types of cyber threats and ways
we can protect our information security.
5. To outline the good information security practices.
Why Is This Course Important?

This is the first of a series of courses that will eventually help you to:

1. Understand the nature of the potential information security threats facing

Axiata.
2. Recognise why we need to protect the confidential information entrusted to
us.
3. Understand your responsibilities in supporting our information protection
policies.
4. Properly handle a possible or actual information security incident or data
loss.
5. Be aware of the existence of the Confidentiality, Integrity and Availability
(CIA) model as the three most crucial components of security.
6. Gain understanding on the specific actions to safeguard our information
security.

Let’s get started.

Course Content
Course Content

1 Introduction to Information

2 Introduction to Information Security

3 Knowing Our Enemy and Protecting Axiata

Types of Cyber Criminals
Protect Our CIA
Protect Our Facility
Protect Our Network
Protect Our Identity
Protect Against Malicious Website
Protect Our Mobile Device
Protect Against Insider Threats
4 Good Information Security Practices

5 Assessment
Introduction to
Information
What is Information?
Information is an asset which, like other important business assets, has value to
an organisation and consequently needs to be suitably protected.

Whatever form the information takes, or means by which it is shared or stored,

it should always be appropriately protected.

All information is valuable but our increasing reliance on sophisticated

processes and technology makes it ever more critical to us, and an ever more
tempting target for those wanting to exploit it.

Information can be:

Created Destroyed Processed Lost

Stored Transmitted Corrupted Stolen

We need your help to protect and secure our information.

 Introduction to
Information Security
Information Security
What is Information Security?
All the processes and practices we implement to protect networks, computers,
applications and data from attacks on the C-I-A triad (Confidentiality, Integrity, and
Availability).

Why Do We Care?
Estimates upwards of 250 billion dollars of loss associated with Cyber Crime!

Every year, the Director of National Intelligence publishes an unclassified “Worldwide

Threat Assessment.” The year 2018 report was published listing “Cyber” is the first (and
greatest) threat listed.

But where does our biggest threat come from?

PEOPLE.

Our people working across the Axiata Group.

Even with the absence of malicious intent, often times, information security is
compromised due to employees’ lack of understanding on how to work in a secure
manner.
Taking Information Security Seriously
At Axiata, information security is not just about looking out for your own well-
being. We gather, process and safeguard critically sensitive customer data on a
daily basis across the globe.

Our customers need total confidence in us as trustworthy custodians of their

data.

That means, we need to take information protection very seriously. We already

have several controls in place to protect our assets, and securely handle our
customers’ data:
Administrative Control Technical Control Physical Control
• Policies • Access Controls
• Procedures • Encryptions
• Guidelines • Firewalls • Controlled physical
• Employee Screenings • IDS access to resources or
• Change Control • IPS buildings
• Security Awareness • HTTPS
Trainings • Physical Control

However, these controls are nothing without our most important line of defense:
YOU.
Do I Have a Part?
To know, answer these questions:

Do you have information that needs to be kept confidential?

Do you have information that needs to be accurate?

Do you have information that must be available when you need it?

If you answered “YES” to any of these questions, then yes, you DO have
a part to play in Axiata’s information security.
How Do I Play My Part?
You can ensure you play your part in protecting our information by:

Keeping Keeping it
Keeping to
hold of our confidential
our values
valuables

Keeping
Keeping us
vigilant and
all safe
diligent
How Will I Help?
You will be helping Axiata to:

Protect Minimise
Ensure business
information from potential
continuity
a range of threats financial loss

Increase
Optimise return
business
on investments
opportunities

Business survival depends on

information security.
Knowing Our Enemy
and Protecting Axiata
Types of Cyber Criminals

Engage in critical and forward thinking to

understand the origins of cyber criminals!!
Protect Our C-I-A (1/2)
Fundamentally, information security is based on the CIA model where controls are
applied in an effort to protect the Confidentiality, Integrity, and/or Availability of
information:

INFORMATION
&
SERVICES
Protect Our C-I-A (1/2)

Confidentiality
• Measures taken to prevent sensitive information from reaching the wrong people while
making sure the right people has access to it.
• In order to ensure confidentiality, organisation employees must be aware of the risk
factors and threats as well as how to guard against them.

Integrity
• Assures the sensitive data is trustworthy, accurate and consistent.
• Security measures are taken to ensure that sensitive data cannot be modified by
unauthorised users.
• Backups or redundancy plans should be planned to restore any affected data in case of
an integrity failure.

Availability
• Enabling constant online connection to the internet and sustain productivity.
• Minimising business disruption and keeping business operational is critical.
Protect Our Facility
How can our facility be compromised? What can you do?

You are the ears and the eyes of the

A successful attack originates with the
building – watch out for who enters and exits
attacker on the premise.
our building!

Physical access to the Axiata building can Escort people without Axiata IDs to security
lead to theft and allow them to launch a – do not just leave them there and go about
network attack. your business!

Attackers can use a physical attack to lower

Prompt responses such as ‘ I have noticed
Axiata’s defense like sounding a fire alarm
that you don’t have Axiata ID with you, I’ll
and causing the building to be evacuated.
walk you to the security desk so that you
can get a temporary one.
Regulations and laws need to be applied
even in the event of an emergency and
sensitive data must be protected. Watch out for suspicious characters
hovering around your workplace and the
building premises.
The safety of the Axiata employees is a
priority.
Protect Our Network (1/2)
Brute Force
Attacker tries to
discover the password
Browser Attack for a system through
Breach a machine trial and error
through a web
browser

Network DDoS Attacks

Attacker overwhelms
Attacks website with traffic
Phishing Emails and crashing our
Attackers creates system
messages to lure
victims into
downloading malicious
attachments

Worm Attacks
Malicious software
that spreads once it
infects our machine
Protect Our Network (2/2)
Make sure the
Making sure that web address has
websites we visit a symbol
Encrypt our is legitimate and
mail and trusted
sensitive files
Scan all files Lock Our
before we Computer
download and
only download
from trusted Protect
sites What Can physical
access to our
We Do? system

Don’t bring
media to work
from home Don’t connect
Seek without prior unknown
approval Seek
approvals from systems to the approvals from
IT security network IT security
team team
Protect Our Identity (1/3)
What is Personal Identifiable Information (PII)?
▪ Over 18 million people were victims of identity theft in 2017 and the number is
on the rise.
▪ PII is any information that can lead to locating and contacting an individual and
identifying that individual uniquely:
• Full Name, Mother’s Maiden name
• Identification Number (IC)
• Address, Phone Number
• Driver’s License / Road Tax
• Biometrics
• Other uniquely identifying characteristics

Information sharing leads to compromise as we share more and more about

ourselves through various platforms.

Our responsibility at work to protect the PIIs of customers as we protect our

own PIIs as well.

Identity theft starts off with the attacker acquiring little information that
ultimately leads to a wider array of information.
Protect Our Identity (2/3)
Identity Theft
Identity theft is the crime of obtaining the personal or financial information of
another person for the sole purpose of assuming that person's name or
identity to make transactions or purchases.

In a business context, identity thieves may steal employee/ customer data, or

even the company’s identity, putting company reputation at risk.

What does it mean to you?

Life-Threatening
Financial Potential Criminal
Complications
Ramifications Charges
(Medical)

• Thousands of dollars • Trouble getting • Criminal might

in debt accrued in your prescriptions if impersonate you
name. someone else has using your ID to
already claimed it commit crimes which
• Scarred credit history.
under your name. consequently leads
• Additional cost to you to be charged
• Medical mistakes due
resolve financial errors with criminal offense.
to misinformation
(legal fees etc.).
linked to your name.
Protect Our Identity (3/3)
How can you protect your identity?

Secure your personal info

• Be wary of your wallet as it contains all your sensitive information such as IC and
driver’s license.
• Review your receipts. Promptly compare receipts with account statements. Watch for
unauthorised transactions.
• Shred receipts, credit offers, account statements and expired cards to prevent ‘dumpster
divers’ from getting your personal information.
• Store personal information in a safe place at home and at work.
• Watch out for shoulder surfers specifically with coded-access to buildings when using
ATMs.

Secure your workplace

• Clean Desk Policy – Sensitive info must be kept secured.
• Ensure the firewalls and virus-detection software are constantly updated on your home
or your work computer.
Protect Against Malicious Websites (1/2)

How do malicious websites work?

Attackers make millions of dollars by tricking end users (US).

Rogue websites are used to collect information, intercept information and distribute
malicious software such as a keylogger that tracks all our key strokes.

Browser Hijacking: If a site won’t allow you to access any other site, be suspicious!
Has your homepage or search engine been modified without your permission?

Sites inundated with “Buy Now” offers and pop-ups, indicates trouble and often “free
downloads” install spyware or other applications on your system.

Sites that say they have “Scanned your computer and have detected viruses” should
always be treated with suspicion.

Poorly built sites where it is difficult to find the information you are looking for.

If every link seems to lead to an advertisement, find a more legitimate site to conduct
your business.
Protect Against Malicious Websites (2/2)

What can we do?

Avoid suspicious Don’t download files

websites – use your from peer to peer sites
instincts! (BitTorrent / Limewire).

Use secure protocols

when surfing the web Don’t change your
(HTTPS) – The S default browser
stands for secured. security settings.

Don’t ignore any

Call your IT security
security warnings that
team when faced with
can save you from
difficult situations.
virus attacks.
Protect Our Mobile Device (1/2)

Applications often
share information
with other
applications across Contacts and other
different platforms. sensitive
information are
often easily
Portability makes compromised.
them vulnerable.

Bluetooth is
inherently insecure.
Protect Our Mobile Device (2/2)

What can we do to protect our mobile devices?

Use strong passwords or passcodes. Don’t enable information sharing

between apps unless necessary.
Disable Bluetooth when not in use.
Don’t connect to a work system or
Backup and protect your data. work network with your own mobile
device unless you have express
Enable remote wipe function and permission.
consider the “Find your device
option”.
Report anything suspicious to the
security team!
Be cautious about what you share –
text is not inherently secure.

Don’t ‘jailbreak’ or ‘root’ your

device – leaves your device open
Download only secure applications. to vulnerabilities!
Protect Against Insider Threats (1/2)
Insider Threat, which is a form of security risk that originates
within the organisation comes in three (3) categories:
• Malicious Insiders
o People who take advantage of their access to inflict
harm on an organisation.
Definition • Negligent Insiders (Main Focus)
o People who make errors and disregard policies, which
place their organisations at risk.
• Infiltrators
o External actors that obtain legitimate access credentials
without authorisation.

An insider threat does not have to be a present employee or stakeholder,

but can also be a former employee, board member, or anyone who at
one time had access to proprietary or confidential information from
within an organisation or entity.
Protect Against Insider Threats (2/2)
How do we protect Axiata against insider threats as employees?
MAIN
FOCUS ➢ Axiata employees need to complete trainings to upskill
themselves with cyber security best practices.
➢ Beware of malicious emails that ask for us to expose our
Negligent credentials for criminal purposes.
Insiders
➢ Watch out for our workspace and make sure we don’t
haphazardly leave our documents and belongings
around.

Malicious
Insiders
➢ Axiata is in the midst of establishing an insider threat
programme in which the high level details will be shared
across all employees.
➢ If employees notice something amiss or a random
stranger, employees must immediately notify security.
Infiltrators
Good Information
Security Practices
Good Information Security Practices (1/2)

Always logoff or lock your system even if you leave

for a short time.
01
Keep systems patched and up to date.
02
Use strong passwords and protect your passwords.
03
Encrypt sensitive files to ensure confidentiality of
data.
04
Watch what you share and be cautious of what
information you put out there.
05
Good Information Security Practices (2/2)

Never let someone have access to your system

with your credentials.
06
Be wary of individuals looking for information or
access to the building.
07
Disable unsecured applications on the phone or
laptop.
08
Report any potential breach to your IT security
team.
09
If something feels wrong or uncomfortable, trust
your instinct and ask for help.
10
Assessment