RICH'S MONTHLY ARTICLE
FREE Training, Certification and Technology News
Subscribe
today to TechNow's FREE eNewsletter and be the first to receive
IT news and course information, special offers, invitations to
FREE seminars and much more!
What is Security Awareness??
You are blue in the
face, what else can you do? You tell them, (in place of
them…please insert clients, customers, users, managers, the boss,
the Grand Poo-Pah himself, and other names that cannot be
mentioned, it’s a family newsletter), don’t download applications
off of the internet. Don’t walk away from your computer without
locking it. Don’t write your passwords down on the sticky notes.
Don’t believe that placing that sticky note on the monitor is
secure, or that by placing the sticky note under the keyboard that
it qualifies as a super secret hiding place. Don’t! Don’t! Don’t!
Don’t!...there has to be a better way, you are about to OD on
aspirin!
Coming to the rescue
is your Security Awareness Program! This program is implemented
organization wide. While it would limit the headaches you will
get, that’s not what it is intended for. It’s main purpose is to
inform “them” of the threats to your organization. It includes
information on IT threats and physical threats.
Your IT threats can
include subject matter such as why you wouldn’t use a common word
for a password or why a word found in the dictionary would not be
a wise choice. Security Awareness training would cover the fact
that most common words and words found in the dictionary are
easily broken into with certain utilities found on the internet.
It would just be a matter of seconds to break those types of
passwords. Your awareness training would also bring to light that
writing down a password is not accepted, no matter how well
intentioned your employee is. Those super secret hiding places,
such as, under the keyboard, under the mouse pad, in the top hand
drawer, in the center drawer, written on the side of your desk top
calendar, are not that secret! If you want to know more secret
hiding places that your employees use, check with your PC techs
they’ll know where to look.
Serious IT threats
would be revealed as well. Social engineering would be addressed.
That way your users would know what type of information should be
given out and what type of information should not. Awareness
training would also inform your users that the helpdesk or IT
department will not ask employees to reveal their passwords in any
fashion. No IT department. personnel will call them on the phone
and ask for their password, or come up to them with a laptop or
PDA and ask them to type in their passwords to see if they are
strong passwords. No security office will send a link to a web
site to test their password strength or to have them download
“patches” for their systems. Awareness training would inform the
users that all passwords are secret and can only be reset. All
patches or updates will be done by IT personnel, after proper
testing.
Downloading of
applications off the internet presents even more threats.
Awareness training would explain the reason software testing is
done by IT, to look for security breaches or compromises that
could be caused by the software in question. The employees would
be made aware of the threats of mobile code, suc as java applets
and Active X, (yes that pretty rose suspended over a shimmering
lake, with mountains in the background)! The employees would find
out that while the rose is pretty, the application is pretty busy
gathering information from the system. The type of information
collected could be passwords or addresses from the users address
book or sensitive data could be disclosed.
The physical threats
are just as serious and can be overlooked if they are not being
looked for specifically.
An example of a security threat that your
employees should look for is piggybacking. This term refers to the
practice of following someone in through a door after they have
authenticated, like with a key card, to enter a facility.
Shoulder surfing is another physical threat that your employees
should be aware of. This is the practice of looking over an
employees shoulder to see what is on the monitor screen, or to
look and what is being typed on a keyboard. Awareness training
would make them aware of these types of threats and would also
make them aware of common countermeasures for those threats.
Piggybacking would be addressed by having a guard monitor the
entrance, or more often utilized is relying on the employee to
close the door behind them. Shoulder surfing would be addressed by
having higher partitions to block easy viewing of an employees
screen, or the placement of a mirror on the monitor so the
employee can see if anyone is behind them.
Awareness training is a necessary tool in keeping your
employees informed about security policies and security practices.
This training will also explain to the users why we have certain
measures in place which in turn could encourage their compliance
to security policies. Awareness training will help your security
staff and IT staff do their jobs more efficiently. They will not
have to go around and be the “computer police”, they can work on
higher risk threats! Now you can put that aspirin bottle away. Now
you can take those trouble calls from the engineering department.
The engineers want to know why they don’t have administrator
access to everything. On second thought maybe you had better keep
that aspirin bottle close by!
Rich Llanas, CISSP, MCSE
To change your subscription status email us at
training@technow.com
with "Subscribe" or "Unsubscribe" in the
subject field.
|
|
