It is a well-known fact that one of the greatest threats in information security comes from within one’s own company. Cybercriminals have become increasingly advanced in their never-ending attempts to manipulate users into compromising systems and exposing valuable information.
Security awareness programs have been implemented on a growing scale due to necessity and compliance requirements imposed by standards such as PCI, FISMA, and HIPAA, to name a few. However, the purpose of implementing a strong, thorough security awareness program is not to simply satisfy compliance needs. The true purpose of a solid security awareness program is to prevent sensitive data loss and the pain and anguish that accompany a breach.
All too often companies and organizations develop security awareness programs to meet the bare minimum of requirements, but just because compliance with a regulatory standard is achieved does not mean the company is secure. To gauge the effectiveness of a security awareness program, data tracking security incidents and employee involvement must be charted from one year to next as the program is updated and evolved to meet the growing needs of the business.
An effective and thorough security awareness program must have a variety of communication methods and include a range of topics educating the user about the array of tactics utilized by cybercriminals in today’s world. Six of these highly important topics which will be covered in this article are physical security, password security, phishing, malware, wireless security, and safe internet browsing.
One very important topic warranting a comprehensive lesson is physical security. The SANS Institute explains, “When addressing physical security, locking your doors and desk/file cabinet drawers should be the main focus.”
Securing the building’s perimeters and internal areas containing sensitive information is an important first step towards security, and employees must to be aware of this importance. However, in my social engineering experience, locked doors have never prevented me from gaining entry into a building. This is because a company employee has always allowed me access whenever a locked door stood in my way.
My reasoning for needing access to a building has ranged from, “It’s my first day, and apparently, they didn’t set my badge upright,” to “I accidentally left my badge in the meeting room. I usually work in the building next door.” Often times, merely tailgating employees as they badged into a restricted area, pretending to badge in behind them has proven to be highly successful. (One vulnerability of most badge readers is the fact that they produce the exact same sound for a failed badge as they would for an accepted badge. Therefore, the tailgated victim hears the badge reader’s all too familiar ding and assumes the stranger behind him must have a viable badge.)
This is where locking desks and filing cabinets come into play. In my experience, many times filing cabinets which should be locked will have the keys in the actual locks! If the key is turned in to the locked position but is left in the locking mechanism, the filing cabinet is not actually locked, and this concept seems to be overlooked by many employees. Additionally, having roamed the buildings of many companies, I have noticed that unattended desktops are often left unlocked. A malicious individual does not need but a couple minute’s access to a logged-in workstation to compromise the computer and its data.
Employees assume because their computers are behind locked doors, they are safe and fail to log out when they walk away. Clearly, this is not the case. Therefore, all employees need to be made aware of the seriousness of physical security when protecting sensitive data and working in restricted environments, and they must feel empowered to question a stranger’s presence in these areas.
Companies more often than not require employees to adhere to best practice standards when creating and replacing passwords. Employees need to have an understanding of why the enforced password requirements are important for protecting themselves, as the user, and the company.
It is no secret that simple passwords, such as “Password1”, are incredibly common and predictable. A basic Internet search of the most common passwords generates article upon article of lists of the common passwords. Many articles report the most common email password is “123456,” while other common passwords are “abc123,” “monkey,” and “iloveyou.” Clearly, the necessity of complex passwords is lost on the common user.
The commonality of user passwords are not lost on cybercriminals, and although complex passwords may be enforced through group policies, there is always the occasional account with a weak, predictable password. Ultimately, users should be encouraged during awareness training to create complex passphrases containing special characters and numbers. Statistically, passphrases are easier to remember but far more difficult to crack.
Users should also be made aware of the potential consequences associated with sharing passwords with others. Sharing passwords leaves the user and company vulnerable in a number of ways. Whether the employee entrusted with the shared password misuses the trusting employee’s access or insecurely manages the password, the trusting employee could become a victim and be held accountable for the breach.
Lastly, in regard to password protection, employees must be made aware of the importance of never leaving passwords written anywhere anyone other than the user can view them. Viewable passwords can be utilized for malicious purposes by both those with legitimate building access and those who happen to social engineer their way into the restricted area.
Phishing campaigns targeting companies and sensitive data are increasingly more complex and sophisticated. Employees must be aware of phishing and the consequences associated with this attack.
Though the concept is not foreign, sometimes the term “phishing” is and it is important to clearly define this term for users. The SANS Institute explains, “Examples are key to this portion of security awareness training. Things to avoid (e.g. clicking on links provided in an e-mail, submitting banking and password information via email, etc.) should be highly emphasized so people know what to look for.”
Many users are suspicious of emails with poor grammar and typos which directly ask for user credentials or request the recipient click a link. Though these phishing emails still circulate in the wild, cybercriminals have become far more devious in their phishing campaigns. Having developed successful phishing campaigns for security assessments, it has become clear there are some tactics to which users remain highly vulnerable.
Well written, articulate emails targeting employees requesting a link be followed for important surveys, the new and improved company newsletter, or policy revisions are only a few examples of phishing campaigns that have proven to be successful in the past.
Going one step further and creating and linking in the email a bogus website displaying the company’s name and logos along with username and password entry fields which capture user credentials have proven to be far more successful than not. Furthermore, the tried and true approach of attaching a document posing as a resume or valuable company statistics with an embedded exploit continues to be successful in the phishing world.
Therefore, users must be made aware of the value of suspicion when receiving unexpected emails requesting any information, a link to be followed, or an attached document be opened no matter how legitimate it may appear.
It is no secret that the general public considers the terms “malware” and “virus” to be synonymous. Even more so, often times the only familiar term to a user is “virus.” It has been mentioned upon several occasions by IT security personnel that when the terms malware, Trojans, worms, etc. are used in communications with the general user, the user has no clue what these terms mean and the seriousness of the situation can never be fully conveyed.
When security personnel is losing valuable time attempting to define terms and explain why a security incident is critical, they can no longer focus all of their attention on stopping the critical incident and preventing data loss. If everyone in a company, including all management and subordinates, receive a thorough security education including defining the terms malware, virus, Trojan, worm, spyware, and adware, the security personnel will no longer need to lose hours attempting to explain basic terms in order to communicate the criticality of a situation.
Furthermore, if employees are aware of these terms, their definitions, and the potential impact they may have on a business, they will be better capable of making security conscious decisions while performing daily tasks.
Users with devices capable of connecting to wireless networks should be made aware of the hazards associated with connecting to unknown, unapproved wireless networks. As David Murphy explains in a PC World article, Open Wireless Networks: Just Say No!, open, wireless networks can be cyber-traps. “You might fall victim to harmless pranking from an industrious network owner who filters your traffic over to a separate wireless network to invert all the pictures on web pages you visit. Or you might run afoul of a nefarious networker who has set up a honey pot … to capture the packets of data exchanged between you and an unsecured website.”
Jack Wright developed a program known as “I Love My Neighbors.” This program is relatively harmless and is meant to cause aggravation and confusion as a playful prank without gaining profit. The program will perform numerous pranks as the user attempts to surf the Internet over an open wireless connection, including inverting the screen, redirecting links, and slowly blurring the screen tricking the user into believing something is wrong with his vision. A link to Jack Wright’s presentation explaining “I Love My Neighbors” can be found here.
Not all wireless network trickery is harmless. As mentioned before, a network capturing data packets is not harmless. Moreover, “It (an open wireless network) could be man-in-the-middle-type setup that uses a server to log each and every bit of information you send through the compromised network. It could include rogue DNS records that lure you to a fake version of a popular website (e.g., Facebook). You think you’re logging into the real deal but you’re actually transmitting your credentials to a ne’er-do-well with some networking chops. Woe to the web surfer who uses similar login/password combinations for every site registration!”
Although to the security professional, this information is obvious and represents a true danger; to others, it may not be so apparent. After all, what does a compromised Facebook account, or better yet, a personal email account have to do with the security of the company? Users have a tendency to utilize the same or similar passwords for all logins.
Moreover, valuable information can be harvested from these accounts about employees and the companies for which they work. With this reconnaissance of information, a cybercriminal could learn sensitive information about the company or impersonate the employee causing substantial damage to the business. Given the importance of using only secure, approved wireless networks, employees must be trained to do so and should be educated in the consequences of accessing those wireless networks which are unapproved.
Safe Internet Browsing
Lurking in the wilds of the World Wide Web, malware runs rampant and cybercriminals lay in wait with traps and trickery designed to target and manipulate users into disclosing sensitive information and/or compromising their systems.
Avoiding Internet content laden with malware may seem intuitive to those in the information security field, though all of us have fallen victim at one point or another, to the everyday user, avoiding this content is typically not at the forefront of their minds and certainly is not instinctual. Thorough security education must include training employees in safe Internet browsing.
Employees tend to operate under the assumption that because anti-virus is installed on their workstations, they are impervious to malware, but this simply is not true. Keeping operating systems and applications current on critical patches and updating anti-virus signatures are two of several best practice methods employed to prevent a compromised system. However, even the most up-to-date systems and anti-virus software can be bypassed by the latest and greatest exploits. This is where educated and thoughtful Internet browsing comes into play.
Employees with access to the Internet need to be made aware of the potential hazards associated with visiting unknown and unapproved websites, and they need to understand that if a site is blocked, it is most likely blocked for a very good reason.
Creating a solid information security awareness program covering malware, wireless security, and safe Internet browsing in addition to physical security, password security, and phishing is a step in the right direction of arming company personnel against cybercriminals.
An effective security awareness program must consist of a variety of communication methods, cover a range of topics, and be regularly communicated to users on a repetitive cycle throughout the year. Importantly, the more often employees are presented with security information in an interesting and engaging format, the more likely they are to retain the information and better protect the company from a painful security breach.
The LBMC Information Security team can help you assess your risks and ensure that your security efforts produce the greatest benefit and have the most effective impact. Contact us today to learn more!