This post is the tenth and final in a series of what I consider the top ten topics for any security awareness program. Selecting the right topics with greatest value for your organization is key to a successful program. This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start. For the tenth topic we finish your program with Hacked, specifically how end users can figure out if they have been compromised, and what to do if they have. More and more I see the security community changing focus from just prevention to one also of identifying and responding to incidents. The faster you respond to a successful attack, the greater you can mitigate the damage. Why not turn end users into part of your own sensor network? In fact, SANS has already done this for network administrators with their new SEC 464 course. These are some of the key points I have found most helpful.
1. First, set expectations. End users may be scared to report an incident, the last thing anyone wants to admit is they have been hacked. Be sure your employees understand that bad guys are very persistent and very good, sooner or later it can happen to all of us. Make sure they understand there will be no retribution, in fact by reporting they are helping both the organization and themselves.
2. Second, tell them what to look for, what are indications of a compromise that a end user can detect? Some ideas include
- Their browser is taking them to websites they do not want to go to.
- Their anti-virus reports an infected file.
- There are suspicious or un-authorized accounts added to the system.
- There are suspicious or un-authorized programs added to the system.
- Passwords no longer work or they are locked out of their account.
3. Finally, be sure to tell them how to report it, such as a website or email address. One thing I recommend is have this contact information on every communication you send out on awareness, such as on every email, newsletter, poster, screensaver, video, or presentation. You want to make your contact information as consistent and simple as possible. Be sure the contact information is not a person's name but an alias. You do not want changing the contact information every six months.
What are some of the most effective ways you have seen using end users as part of you detection mechanisms? How can we get end users to report incidents?