Security and Privacy in a Networked World/Training: Herding cats: erinevus redaktsioonide vahel

Intro

Security can be a difficult thing to train. Humans tend to strive towards "preserving face" and not getting into humiliating or embarrassing situations - and many security-related incidents are just that. This brings the temptation to 'brush it under the carpet' - leave the incident unreported and hope that someone else gets the rap.

In the U.S. army slang, there is an acronym known as SNAFU - Situation Normal, All **** Up. SNAFU is based on tne notice that efficient communication is only possible between more or less equal peers - as soon as one side is significantly lower/subordinate, he or she will face the temptation to present the situation in a more favourable light to avoid unpleasant reactions. At the same time, in many cases the amount of damage would remarkably depend on prompt responses - yet in a SNAFU situation, the 'higher' side does not learn about the actual situation until it is too late to respond effectively.

Training the users/employees in security awareness can help significantly reduce these factors.

Awareness training - some possible topics

Generic

• We are targets - the overall awareness training should focus on the PIBKAC issues and different motives of attackers ranging from teenage pranksters to professional data thieves or Stuxnet-style 'cyberoperations'. The employees should realize that there is no one who is 'too small/unimportant' or 'too hard/smart' to be targetted.
• Social Engineering - trust as a central concept, the gradual nature of attacks (learning some non-critical information and using it to create trust and access critical data), various techniques (including the ones for bypassing physical security, e.g. tailgating or shoulder surfing).

Main technologies

• Web
• E-mail
• Instant messaging
• Social networks
• Wi-Fi
• Mobile devices
• Cloud services

• Access control - passwords and other measures
• Data security - creation, maintenance and safe destruction
• Threats from inside
• Children online
• Damage control

Special groups

• IT staff - those actually in charge of technology, including administrators, developers, support/helpdesk etc. While these employees tend to be more knowledgeable about IT risks, lax attitudes towards security is a common problem (Estonians may recall the case with Eesti Telefon - it was leaked to the media that their main server's admin password was "kala" (fish)...). Training should generally focus on actual examples and be clearly connected to the security policies present.
• Higher management - can be especially difficult to train due to their limited time resources and sometimes also mixed attitudes (reluctant to learn, feeling being 'above the law' etc). Should especially focus on social engineering, mobile/travel/cloud and data security, but also reach adequate knowledge of common applications usage (e.g. e-mail). Also, clear connections to security policies and stressing their universality (i.e. everyone must comply) may help.
• Service staff (janitors, drivers, couriers etc) - a major target for social engineers, therefore the training must focus on recognizing and neutralizing SE-based attacks. However, with training these people can be valuable in countering threats due to their mobility and "low profile" image ("just a janitor - he is supposed to be there").

Environment

• Physical security - doors and locks
• BYOD and teleworking
• Protecting home
• Travelling abroad

Additional reading and links

...

Study and Blog

• Pick a topic above (e.g. passwords or social networks) and write a short awareness training programme for your colleagues (those who do not work may use a fictional company).