Security and Privacy in a Networked World/Training: Herding cats

Allikas: KakuWiki
Mine navigeerimisribaleMine otsikasti

Intro

Security can be a difficult thing to train. Humans tend to strive towards "preserving face" and not getting into humiliating or embarrassing situations - and many security-related incidents are just that. This brings the temptation to 'brush it under the carpet' - leave the incident unreported and hope that someone else gets the rap.

In the U.S. army slang, there is an acronym known as SNAFU - Situation Normal, All **** Up. SNAFU is based on tne notice that efficient communication is only possible between more or less equal peers - as soon as one side is significantly lower/subordinate, he or she will face the temptation to present the situation in a more favourable light to avoid unpleasant reactions. At the same time, in many cases the amount of damage would remarkably depend on prompt responses - yet in a SNAFU situation, the 'higher' side does not learn about the actual situation until it is too late to respond effectively.

Training the users/employees in security awareness can help significantly reduce these factors.


Awareness training - some possible topics

Generic

  • We are targets - the overall awareness training should focus on the PIBKAC issues and different motives of attackers ranging from teenage pranksters to professional data thieves or Stuxnet-style 'cyberoperations'. The employees should realize that there is no one who is 'too small/unimportant' or 'too hard/smart' to be targetted.
  • Social Engineering - trust as a central concept, the gradual nature of attacks (learning some non-critical information and using it to create trust and access critical data), various techniques (including the ones for bypassing physical security, e.g. tailgating or shoulder surfing).


Main technologies

  • Web
  • E-mail
  • Instant messaging
  • Social networks
  • Wi-Fi
  • Mobile devices
  • Cloud services


  • Access control - passwords and other measures
  • Data security - creation, maintenance and safe destruction
  • Threats from inside
  • Children online
  • Damage control


Special groups

  • IT staff - those actually in charge of technology, including administrators, developers, support/helpdesk etc. While these employees tend to be more knowledgeable about IT risks, lax attitudes towards security is a common problem (Estonians may recall the case with Eesti Telefon - it was leaked to the media that their main server's admin password was "kala" (fish)...). Training should generally focus on actual examples and be clearly connected to the security policies present.
  • Higher management - can be especially difficult to train due to their limited time resources and sometimes also mixed attitudes (reluctant to learn, feeling being 'above the law' etc). Should especially focus on social engineering, mobile/travel/cloud and data security, but also reach adequate knowledge of common applications usage (e.g. e-mail). Also, clear connections to security policies and stressing their universality (i.e. everyone must comply) may help.
  • Service staff (janitors, drivers, couriers etc) - a major target for social engineers, therefore the training must focus on recognizing and neutralizing SE-based attacks. However, with training these people can be valuable in countering threats due to their mobility and "low profile" image ("just a janitor - he is supposed to be there").

Environment

  • Physical security - doors and locks, but also ID-s, keycards, codes and their proper usage. Especially needed for flexi-workers, contractors, IT staff and management who may need to be present at irregular times.
  • BYOD and teleworking - everyone using their own devices puts an extra workload to the IT staff, but this can be held in check with good planning and training. Telework means for the company no physical control over the employee's workplace - and the same device will be connected to the protected (and trusted!) company networks during the day and possibly to some unsafe ones during the off hours (the issue is known as the end node problem). As with other aspects of security, the weakest link is what counts - among the diverse array of devices, just one teleworker still using Windows XP may be enough for a serious breach.
  • Protecting home - connected to the previous point, but additional factors include devices shared with family members with varying levels of security consciousness, online safety for children, controlling one's online habits etc. Depending on the position of the employee, targetting his/her home and family may also result in direct threats to employer.
  • Travelling abroad - in the age of public wireless and mobile roaming networks, many travelling employees (usually from management, marketing or sales) would also work from abroad. Besides being aware of generic mobile device, services and network security, care must also be taken regarding various local regulations and possible interception (especially in places where government has a history of snooping, e.g. Russia or China).

Additional reading and links

...


Study and Blog

  • Pick a topic above (e.g. passwords or social networks) and write a short awareness training programme for your colleagues (those who do not work may use a fictional company).
Pärit leheküljelt "https://wiki.kakupesa.net/index.php?title=Security_and_Privacy_in_a_Networked_World/Training:_Herding_cats&oldid=4252"