Text transcript for the
NYS Cyber Security Awareness Video
Copyright NYS Office of Cyber Security and Critical Infrastructure Coordination

  • Introduction to training video one

First Scenario: “Judy, Judy, Judy”

Scene One
Setting, Executive Office

Chad and the ISO are sitting with executive looking at newspaper headline, “High-ranking official tested positive for drug use.”

Executive:  Well, of course it’s not true.  But this article says that our agency, OUR agency records were referenced by an anonymous source.   How could this have happened?

Chad:  I don’t know how it happened.  There is only one person on my staff that has access to change those records.  And I believe her when she says she had nothing to do with it.

ISO:  I’ve been investigating this.  And it looks like an inside job.  Let me walk you through what I think happened.

Scene Two
Setting, Work Unit

Two office workers are at the coffee machine talking about their weekend.

GaryGood morning Connie.

Connie:  Good morning.  How are you doing?

Gary:  Good.  How was your weekend?

Connie:  I had a great weekend.  How about you?

Gary:  A little bit too exciting.

Connie:  Oh yeah.

Gary:  I helped a friend move and his truck broke down.

Connie:  You’re kidding.

Gary:  What a mess.           

Connie:  Oh.

Supervisor approaches

Chad:  Good morning.

Gary and Connie:  Good Morning

Chad:  Hey, listen, we’ve got that training today.  We’ve got to figure out what to do about coverage while we’re away.  Why don’t you grab a donut get your coffee and let’s go in my office and we’ll figure it out.

Gary and Connie:  OK

They get their coffee and sit down at a small table in Chad’s office

Chad:  I talked to administration yesterday about trying to get some coverage for us today.  They’re sending Judy to help us out.

Gary and Connie:  Oh… man

Chad:  So listen, is there anything that we absolutely have to have done before we get back?

Connie:  Well, I have some health forms that have to be entered in today, and that’s easy.  She just needs the id, the social security number, name that sort of stuff.   And she can handle that, I’m pretty sure.

Chad  (to Connie):  Okay, so you can show Judy how to sign on and do what you have to do?

Connie:  Sure, I’ll give her my password.

Chad  (to Gary):  Great.  Gary, anything you need to get done before we get back?

GaryNope, I’m all set.

Chad:  Okay good.  Hey listen, I have to tell you something.  Today is Judy’s last day with the agency.  I’ve been told, it’s because she’s unhappy about being passed over for promotion.  I have also heard it is because she is late all the time.  So I think we better plan for her to be late again today. So, maybe we should come up with something in case she is.

Connie:  Well, we should stay as long as we can, but if she is late, we can write her a note.  We can prop the door open, and she can do what she has to do.

Chad:  Can you take care of that?

Connie:  Sure. 

Chad:  Good.  Okay.

They’re all ready to leave for training, but Judy still isn’t there.  They decide to go.  Connie writes her password on a post-it note.  Connie props open the door and tapes a piece of paper on it.  The post-it note is on Connie’s monitor..

Chad, Connie and Gary leave for the training.  Show that Chad has left his computer signed on.

 Scene Three

Judy arrives and sees the note.  She grabs the note and reads it aloud.

Judy:  “Judy, thanks for covering for us.  We waited as long as we could but had to leave.  Please enter health forms onto the system.  Forms, file names, and password are on my desk.”

(Angrily)  Yeah, it’s just like them to leave me THEIR work!!! 

She enters the office, sits at the computer and takes a look at the post-it note with Connie’s password. 

Judy:  Password is “Connie.”  Oh that’s clever, like I could not have figured out that one.

She signs onto the health claim file using Connie’s password.  She pauses to help herself to snack jar on desk.  She begins snooping around the system.

Judy:  Well, what do we have here?  I didn’t know you had access to executive records.  So, you think you’re too good to wait for me, Connie?  Well it’s payback time.  I’m going to help you update your files.

Judy enters false data into the record.

Judy:  That’s good.  But, I should share it with someone… onto the web… YES.  (She works at the keyboard)  Here we are.  (Speaking while she’s typing) Message to: newsdesk@dailyexposure  Subject:  High-ranking official fails drug test.  That’s good, Send.

Judy:  I can just see it now. ‘Sir, Can you tell me why you failed the drug test?  Is it true that you have long term use of recreational drugs?’  Ha-ha!  That’s good.

Judy leaves Connie’s desk and starts wandering around the office looking through Connie’s and Gary’s papers and looking at her watch, killing time.  She wanders into Chad’s office.  She notices Chad’s resume and cover letter. 

Judy: Oh Chad left his machine on, good!  Hmmmmm.  Making a career change, Chad.  Very interesting, well let me help you burn some bridges!

Judy:  (She speaks aloud to herself as she types)  Message to:  headhuntersRus.  Subject:  Accepted other offer.  Text: Dear sir, I’ve accepted a more generous offer from another firm, and quite frankly, I wasn’t that impressed with your organization.  Have a nice day, Chad. There you go Chad.  Send that right off. Oops, I wouldn’t want to leave this without password protection.  Why don’t I just give you a little password, here Chad. There you go, all set. Then she adds a password to Chad’s machine.  She snoops around Chad’s office looking through booklets and under papers.  Then she walks back over to Connie’s area picking up the note Connie left and reads it aloud.

Judy:  Health forms, done (checks it off on the list) She writes on the note, reading as she writes.

“Chad, Connie and Gary:  Finished work.  Waited as long as I could, but had to leave.  Hope you learned a lot at your training!  Judy  (smiley face)

Scene Four

Back to the setting with the Chad, the Executive and ISO

Executive:  (to Chad) I realize that your staff did not intend for this to happen.  But it did and they need to fix it. (to ISO)  I want to make absolutely certain that this doesn’t occur again.  Can we prosecute?

ISO:  Well, the State Police are investigating this.  They’ve asked for copies of our audit trails and logs.

You know, the machines down there were pretty messed up. A password was changed, files were altered.  Some of our staff couldn’t even sign on.  It’s rare that such a series of small incidents would come together in such a big way.  When little things like this happen; like a password being left in plain view or a machine left on unattended, we might not even notice.  Put all this together and we can have a serious breach of security.

I’ve fixed the damage, but I think this reinforces my earlier recommendation that all employees need information security training.  Unless everyone knows his or her own responsibility, information security is going to continue to be a problem. 

Executive:  I agree; we need to take a look at the total picture and look at it now.    Assemble a team to address the most critical issues and review our policies.  Bring in one person from each program so that we can deal with this on an agency wide basis. And come up with a plan that we can discuss at our next Executive Staff Meeting.

ISO:  I’ll get right on it.

Bullets

  • Keep passwords protected at all times.  Don’t share them with others or write them down.
  • Do not leave your PC on and unattended.
  • Be familiar with and follow policies and procedures. 
  • Insiders, as well as outsiders, can compromise your computer systems. 
  • Information should be accessible only by people who have legitimate uses for it.

Voiceover the slides:

  • Use a strong password. 
  • It should be easy for you to remember, but long enough and complex enough to be hard to guess or “crack.”   Use a mix of letters and numbers or special characters.  One way to create a password you can remember is to use the first letter of each word in a phrase or sentence.
  • Don’t store passwords on your computer or use them in automatic log-ons.
  • Don’t share your password with anyone and don’t write it down.  If you think your password has been compromised, change it.
  • Don’t leave your PC logged on, unattended and unprotected.
  • Be familiar with and follow information security policies and procedures.  They exist to protect all of us.
  • Insiders, as well as outsiders can compromise your computer systems.  Unfortunately, disgruntled employees as well as well-intentioned, uneducated “helpers” can be destructive.
  • Information should be accessible only by people who have legitimate, job-related uses for it.  We are ALL responsible for the confidentiality and protection of the information that is at the core of our business. 
  • Contact your Information Security Officer immediately when any breach of security or theft has occurred.
  • We all must do our part to ensure good security.  Follow procedures and don’t be afraid to ask questions.
  • Remember--- It’s YOUR responsibility

Second Scenario: Fun and Games

Scene One

A typical office setting.  Joanne (Ruth’s secretary) is sitting in her cubicle, right outside Ruth’s office, working on her PC.    

Ruth (stopping by Joanne’s cubicle): Oh Joanne – do you think you could order some new bookcases and chairs for the new employees that will be coming in a few weeks? 

Joanne: Sure, I’ll go on the internet and I’ll order them on-line.

Ruth:Great, thanks.  (Ruth walks into her office out of view)

Joanne: OK

Scene Two

Scene shows Joanne working on her PC.

Bill (another employee stops by Joanne’s cubicle and drops some papers into Ruth’s in-basket on Joanne’s desk): Hi Joanne, hey, I’m going down to the cafeteria to get some lunch, would you like to join me?

Joanne: Oh… No, I can’t, I brought my lunch today and I’ll probably just eat right here at my desk.  We’re going away for the weekend and I want to download some games and stuff for the kids.  I’m hoping that will keep them occupied so they don’t drive my mother crazy all weekend.

Bill: Ok, I’ll see you later. (Bill leaves the scene)

Joanne: Alright, bye.

Scene Three

Joanne sitting at her desk working on her PC.

Joanne (talking to herself): Ok, I’ve got all that stuff ordered for Ruth.  Now I want to check out that site that Mary told me about with the games for the kids.  (talking to herself as she surfs the internet): 

Oh, those games look great... I bet the kids will love em.  (She downloads a couple of games that she thinks her kids will like.  She continues surfing.)  Let’s see, what else is there?  Oh, there’sthat internet radio site that Bill has set up on his computer.  That’s a great idea.  I think I’ll set that up on mine also. 

Scene Four

Late in the afternoon of that same day, Joanne is again working at her PC.

Joanne(talking to herself): What is the problem with this PC!?!  This is the third time today that it’s frozen up on me! (She picks up a phone listing of agency numbers): What’s that Help Desk number?  (Joanne picks up the phone and calls the Help Desk): Hi, this is Joanne Burke on the 3rd floor.  Yeh, I’m having a problem with my PC, it keeps freezing up on me.  I know you’re busy.  Yea, I know it’s a little bit late.  Yea, Okay.  I’m going to be leaving myself soon anyway, so.  Alright.  First thing tomorrow morning would be great.   Alright. Yep. Thanks.  Bye.

Scene Five

It’s early the next morning; Ruth is just sitting down in her office at her PC with a cup of tea. 

Ruth (talking to herself and clicking on the keyboard in an annoyed way): Hey, what’s the matter with this thing.  I can’t get anything to work.  All I’m getting is this blank screen!   Hmm

Scene Six

Ruth comes around the corner of her office to speak to Joanne.  Joanne is doing some paperwork at her desk; she’s not working on her PC because it has not been fixed from the day before. 

Ruth: (in an exasperated voice): Joanne - would you please call the Help Desk?  I’m having problems with my PC. Tell them to bring somebody up right away.

Joanne:  Sure, I’ll call them right now.  But you know, Bill was in a little bit earlier today and he was having trouble with his PC too, and I know yesterday afternoon I had some problems.  I already put in a call in to them late yesterday afternoon with the problems that I had.   

Ruth:Hmmm, do you think they are connected?

Joanne:I don’t know, but I’ve got a ton of work to do on that report that you want from me and I can’t  even do anything until I get my PC fixed. 

Scene Seven

Jack (from Tech Support) walks into Joanne’s cubicle to look into the problem she had reported the previous afternoon.  At this point, Bill has walked over to join Joanne and Ruth and they are all standing around Joanne’s cubicle discussing the situation.   Ruth and Bill have joined the discussion.

Jack(to Ruth & Bill): Did either of you happen to install any of the games or set up the internet radio?

Ruth:  No, I don’t use games or the radio or anything like that.  But come to think about it, I did get an e-mail with a strange attachment from Joanne yesterday afternoon...(turning to Joanne), I was going to ask you about that.

Joanne: I don’t remember sending you anything yesterday afternoon.

Bill (to Joanne): You know, I got a strange e-mail from you too yesterday.  I tried to open the attachment but it didn’t seem to do anything.  (Turning back to Jack):  I do use the internetradio service; a lot of people around here do.  I’m not sure if this is related, but my computer is running real slow lately.

Jack:Hmmm, well it seems like we have a bigger problem here than I thought.  So I’m going to call our Information Security Officer.

Scene Eight

It’s a short time later and the scene shows the ISO and Jack walking toward Joanne’s cubicle. Ruth is standing by Joanne’s desk and the two are having a conversation.

ISO(to Jack): From what you’ve told me, it sounds like we’ve got a couple of problems here.  We may have contracted a virus from one of those games that was downloaded over the internet.  And, that internet radio may be slowing down our system.  What we need to do immediately is get word out to all employees not to open any unfamiliar attachments, that we may have a virus.  And ask everyone to immediately disconnect any internet audio services.  If you get right on that I will put together the Incident Response team and we’ll see if we can resolve the rest of the conflicts.

Joanne (looking very chagrined, says to ISO): How was I supposed to know that one of the games I downloaded had a virus? I’ve downloaded lots of things before and there was never any problem.   And as far as the internet radio service, I know a lot of people that use it and I didn’t think it was going to cause any problems.

ISO: Have you been doing those virus protection updates we send you every week?

Joanne (she and Ruth exchange uneasy glances): Well, not really. We weren’t exactly sure how to do it...and we were going to get back to you on that.

ISO:About that internet radio - That kind of continuous on-line service uses a lot of resources, and if enough people were to use it, we could degrade system performance of our network.

Scene Nine

It’s late that same day, and the ISO is meeting with the Executive for a post mortem to explain the whole situation. 

ISO:  Well, the good news is; that all of the immediate problems have been resolved and everything is under control now.  The bad news is we have several larger issues that we really have to address.  I put together a report about those issues.  Let me hit the high spots with you?

Executive: Yes

ISO:  OK

  • Number one, we discovered a number of employees are not updating their virus protection on a weekly basis like we have asked them to.
  • Secondly, we had an employee download some games from the internet.  One of them had a virus in it that automatically mailed itself to everyone in her address book.
  • And to further complicate matters, we discovered a number of employees are using an on-line internet radio service here in the office. These internet radio functions use streaming audio technology, and really eat up bandwidth slowing down our system.  We can’t afford to waste important network resources on non-work related things like that.
  • And finally, People are not reporting their problems promptly enough, either to the Help Desk or to me.

Executive: I didn’t realize that things were that messed up around here.  How do you propose we fix it?

ISO: I was hoping you’d ask that, I put together a memo for all employees outlining steps to address the problems. 

The Bullets

    • Update virus software
    • Use Internet for business only
    • Be careful with attachments
    • Contact your ISO immediately
    • We all must do our part
    • Ask questions
    • It’s your responsibility

Voiceover the slides:

  • Be sure to keep virus protection software up to date
  • Never download non-work-related files from the Internet.
  • Don’t use streaming audio or video for non-work purposes. This means entertainment packages like radio, movies and games.
  • Think before opening email attachments.   Don’t rush to open them if they are non-work-related or from someone you don’t know.  Beware of messages that advise you to pass them along to everyone you know.  Fun, tempting, and innocent looking attachments can contain elements that could damage your computer or others. 
  • Contact your Information Security Officer immediately when any breach of security or theft has occurred.
  • We all must do our part to ensure good security.  Follow procedures and don’t be afraid to ask questions.
  • Remember--- It’s YOUR responsibility.

Scenario Three: Thanks For Being So Careless

Scene One

Bob is sitting at home at his desk with his computer on in front of him.  Papers are scattered all over his desk.  However, one stack of papers is prominent, that being employment rejections.  He picks up the stack and sighs; and throws it down again.

Bob: I can’t believe I got rejected again! I really thought I’d get this job!  I deserve that job more than anybody else! Well I’m going to get even with a Mr. Greg Brown (as he picks up the rejection letter from Mr. Brown).  He’ll be sorry he didn’t hire me. 

Bob turns to his computer and brings up the agency web site from where he just got rejected. 

Bob (talking to himself, out loud): Oh, here’s an on-line directory on the agency’s web site. Oh, there’s Greg Brown. Ah, a phone number, but no room number; let’s see if I can get one.  Bob dials the phone number he just found on the web site.

Bob: Hello, this is Tom from delivery services, I got a package for Greg Brown, but the address is smudged, can you tell me what room number he’s in. Uh – huh, room 1164  - - Okay, thanks.

Bob: Boy that was easier than I thought. (He writes the room number on the rejection letter as he hangs up the phone)

Scene Two

Bob walks into the lobby of the agency building.  He is well dressed and is looking at the board in the lobby to direct him to the right floor and office.  He’s carrying a large briefcase.

Security Guard: Hello Sir, May I help you?

Bob: Yes, Hi, I’m from Acme Ware.  I’m here to do a software demo for Mr. Greg Brown in (as he points to his case) your personnel office.  Let’s see he’s on the 11th floor?  Correct!

Security Guard: Let me check.  Yes, Mr. Greg Brown is in Room 1164 – when you enter the elevator and you exit, make a left please.

Bob: Thank you.

Security Guard: Welcome.

Scene Three

Bob arrives in front of the personnel office, looks at the room number (1164), goes in.  He sees Susan the Secretary sitting at a desk near the entrance and says...

Bob: Hi, I’m Bill Johnson, I have an appointment to see Mr. Brown.

Susan flips frantically through Mr. Brown’s calendar. She mumbles his appointments and looks up at Bob.

Susan:  I don’t see you on Mr. Brown’s calendar?

Bob: That’s probably because I spoke with him directly earlier in the day.  He said he would pencil me in.  Probably just forgot to mark it on his calendar.

Susan: OK, have a seat, Mr. Brown is at a meeting.  Probably be back in about 15 minutes.  I have some errands to run and then I’m going to lunch.

Susan leaves the room. Bob waits a few seconds, peeks out of the door to make sure she is gone. Bob goes over to Susan’s desk. He notices a folder that says “Confidential” that is in clear view, and grabs it. He takes the folder and his briefcase with him as he enters Mr. Brown’s office.

Scene Four

Mr. Brown’s office…

Bob: Let’s see if there’s anything interesting in here.  Aha, a laptop, not locked down – Hey, this could have some information I could use.  Bob quickly proceeds to put Mr. Brown’s laptop in his case along with the confidential folder and quickly leaves.

Scene Five

Lobby of the agency building, with Bob coming off the elevator.

Security Guard:   Have a nice day.

Bob:  Thanks, you too.

Scene Six

Mr. Brown’s office area, Susan is back from Lunch and Mr. Brown walks in….

Mr. Brown: Hi Susan, back from lunch already?

Susan: Yeah - it’s so nice out. I wish I could take the whole day off.

Mr. Brown:  Yea, I know - - My son’s soccer finals are this weekend.  It’s perfect weather.

Susan:  By the way, I faxed those confidential forms that you asked me to fax.

Mr. Brown:  Oh great!  Hopefully they will get back with me.  I’ll check my email.  Mr. Brown goes into his office and immediately notices his laptop is missing.

Mr. Brown: Hey, Susan, have you seen my laptop?

Susan: (as she heads towards Mr. Brown’s office) It was right there on your desk when I left for lunch today.

Mr. Brown: Well it’s not here now.  Was there somebody in the office?! 

Susan: Well - - Me…. Oh, and Bill Johnson was waiting to see you when I left for lunch.

Mr. Brown: Who’s Bill Johnson?!

Susan: You made an appointment with him this morning?

Mr. Brown: I don’t know any Bill Johnson!? Where’s he from?

Susan:  I don’t know.  You better call the Information Security Officer right now.

Mr. Brown:  Alright.  Hey, do you have a copy of that report that I need for our Human Resource Director?

Susan:  No, I thought you were going to take care of it?

Mr. Brown:  Oh no!  It was on the laptop.  I don’t have a back up. I don’t have a printed copy.  It’s due tomorrow and that was week’s worth of work.

Scene Seven

At Bob’s home showing him opening the confidential folder and looking at the files on Mr. Brown’s laptop.

Bob: Greg, Greg, Greg…..  Let’s see what you have been up to….  Huh, some disciplinary files, a very sensitive report to your manager.  Stuff I can certainly use … ha ha ha… thanks for being so careless.

Bullets

  • Beware of possible intruders
  • Know and practice your agency entry/exit policy
  • Ask for ID
  • Tag equipment
  • Track equipment being removed
  • Require proper authorization for removal of equipment
  • Never leave visitors alone
  • Protect confidential information
  • Secure your laptop
  • Protect all computer and laptop information
  • Backup your files regularly
  • Contact your ISO immediately
  • We all must do our part
  • Ask questions
  • It’s your responsibility

Voiceover the slides:

How could something like this happen?  There were several places where good security practices were not being followed.

  • An intruder can easily obtain information that is publicly available and use it to pose as a person who has legitimate business with you.
  • Agencies should have an entry and exit policy that addresses visitor access.  The policy should be well known,  practiced and should require:
    • That visitors be asked for and show identification
    • That all equipment be tagged
    • That tags be checked when equipment leaves the building and
    • That proper authorization be obtained for removal of equipment
  • Remember, even standard PCs can easily be stolen if security procedures are not practiced!
  • Use caution with visitors.  They should not be allowed to roam the building or be left alone in work areas where they may gain unauthorized access to information or equipment. 
  • Don’t leave confidential folders out in the open.
  • Secure laptops in the office by using a locking device. 
  • Make password protection and encryption standard on laptops.
  • Do regular backups of your laptop and PC, or store files on a local area network.
  • Contact your Information Security Officer immediately when any breach of security or theft has occurred.
  • We all must do our part to ensure good security.  Follow procedures and don’t be afraid to ask questions.
  • Remember--- It’s YOUR responsibility.