Security Awareness Blog

Security Awareness Top Ten Topics - #10 Hacked

This post is the tenth and final in a series of what I consider the top ten topics for any security awareness program. Selecting the right topics with greatest value for your organization is key to a successful program. This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start. For the tenth topic we finish your program with Hacked, specifically how end users can figure out if they have been compromised, and what to do if they have. More and more I see the security community changing focus from just prevention to one also of identifying and responding to incidents. The faster you respond to a successful attack, the greater you can mitigate the damage. Why not turn end users into part of your own sensor network? In fact, SANS has already done this for network administrators with their new SEC 464 course. These are some of the key points I have found most helpful.

1. First, set expectations. End users may be scared to report an incident, the last thing anyone wants to admit is they have been hacked. Be sure your employees understand that bad guys are very persistent and very good, sooner or later it can happen to all of us. Make sure they understand there will be no retribution, in fact by reporting they are helping both the organization and themselves.

2. Second, tell them what to look for, what are indications of a compromise that a end user can detect? Some ideas include

  • Their browser is taking them to websites they do not want to go to.
  • Their anti-virus reports an infected file.
  • There are suspicious or un-authorized accounts added to the system.
  • There are suspicious or un-authorized programs added to the system.
  • Passwords no longer work or they are locked out of their account.

3. Finally, be sure to tell them how to report it, such as a website or email address. One thing I recommend is have this contact information on every communication you send out on awareness, such as on every email, newsletter, poster, screensaver, video, or presentation. You want to make your contact information as consistent and simple as possible. Be sure the contact information is not a person's name but an alias. You do not want changing the contact information every six months.

What are some of the most effective ways you have seen using end users as part of you detection mechanisms? How can we get end users to report incidents?

3 Comments

Posted January 11, 2011 at 2:02 PM | Permalink | Reply

HJohn

I think this is another area where some layers may help.
I often use passwords as an analogy, since they are simple for non-techies to understand. One standard i encounted some years ago set a very long minimum password age with the stated intent that "if a user's account is compromised, having to contact security to change it will force them to report it to security." Good intention, but in practice, human nature to avoid embarrassment and hope for the best often was self-defeating. It turned out better to encourage them to report it, but let them change their password because it lined up security with the user's interest.
It's very important to educate, encourage reporting, assure users that anyone can fall victim, and that there is nothing to be embarrassed about. But having some corrective education may help with those who are just too embarrassed to step forward may be useful. It's a fine line'' you risk them trying to correct it themselves instead of reporting it, which must be balanced against the risk they'll leave something both unreported and uncorrected.
No perfect solutions. It's good to have such dialogue, which is why I'm thankful for this site.

Posted January 11, 2011 at 2:25 PM | Permalink | Reply

lspitzner

It is a tough balance. One idea we discussed in my MGT 443 security awareness course was rewarding people who report infected systems. However we agreed this can quickly backfire on you as you are then motivating people to infect their own systems. I still have not figured out the right balance of enforcement and reward, in part because every organization's culture is different. Keep the great feedback coming!

Posted January 12, 2011 at 2:12 PM | Permalink | Reply

HJohn

@lspitzner: " However we agreed this can quickly backfire on you as you are then motivating people to infect their own systems."
________________
Definitely. And even for those who wouldn't infect their own systems, they are probably more inclined to click that link or open that attachment. If it's legit, great, if it infects, then get the reward.
Part of the balance I guess'' reprimand may deter carelessness, but it will also deter reporting. reward may encourage reporting, but it wil also encourage carelessness. What works best may vary in different settings.