Security Awareness Blog

The 3rd Top Three Security Awareness Topics

Earlier this week we discussed the importance of focusing your awareness training on a few, high-impact topics and then identified what we consider the top nine within the SANS Securing The Human library. Today we discuss the third and last set of three of those topics and why our Advisory Board selected them.

Passwords: Let's be honest, passwords are a complicated, broken concept. Unfortunately, passwords still remain the primary way people authenticate to most systems and online sites. As such, we have to teach people how to best protect themselves when using passwords. One of the key mistakes we see with password training is organizations focusing only on password length/complexity. While important, we are finding it more important on how to properly USE passwords, to include unique passwords for each account, never sharing your passwords, use of two-step verification when possible, and use of password managers. This is one of the toughest topics to teach, as you have to balance the goal of being comprehensive and simple at the same time.

Data Security: This is the catch all topic that addresses the steps in protecting data. Steps such as sharing data with only authorized users, storing or transfering confidential data using only secure means to include encryption, and securely destroying data that is no longer needed. Almost every organization has some type of confidential data that needs to be protected, including PHI, PII, NPI, student data, cardholder data or organizational intellectual property. As such you need to lay the foundation on how to handle and protect that data.

Hacked: Security awareness needs to go beyond just the human firewall, we need to develop the human sensor. People who can identify and report indicators of compromise. That is precisely what this topic does. It teaches people the indicators of a hacked device, and how to report it. In addition, we need to make sure people feel comfortable reporting the incident. In many ways using technology is driving a car, no matter how safe you are, sooner or later you most likely will have an incident. The more comfortable people feel reporting an incident, the more secure your organization will become.

 

3 Comments

Posted December 16, 2013 at 7:55 PM | Permalink | Reply

HJohn

This is great, but I would expand these two sentences a bit: "It teaches people the indicators of a hacked device, and how to report it. In addition, we need to make sure people feel comfortable reporting the incident. "
While in an ideal world, everyone would report incidents, and you are dead on correct that making people feel more comfortable should be a priority. However, we still must consider human nature, and there will always be people who put self preservation and avoiding embarrassment (or some are just plain shy) ahead of reporting.
A few years back, I wrote of a federal standard which advocated a long minimum password age. The logic was that they wanted users to have to report an incident in order to change their compromised password. The problem was their options: 1) report it an risk embarrassment or reprimand, or 2) ignore it and hope for the best, play dumb if something happens.
My suggestion was to allow password changes in order to change the equation to: 1) ignore it and risk an incident, or 2) change it and avoid an incident.
Reporting, while important, is another step. If someone, no matter how much you try to make them comfortable is to shy or embarrassed to report something, you ideally should have another plan that lines the best interest of the employee up with the security of the organization. Options that put someone's perceived self interest against the company's best interest will likely fail too often.
Great work.

Posted December 17, 2013 at 1:22 PM | Permalink | Reply

lspitzner

Great feedback Jay, thanks for sharing! Also, one of the challenges you may encounter is actually having too many people reporting, becoming overwhelmed when many people report the same or basic phishing emails. Just like any IDS, the human sensor will need to be ''tuned'.

Posted December 18, 2013 at 9:13 PM | Permalink | Reply

HJohn

I just received the Fraud Examiner newsletter and they highlighted a story on passwords. It's pretty interesting. It included an analysis of the two million passwords compromised. Disturbing that 8 of the top 10 passwords were numeric only (always in sequence), and the other two were characters only (password and admin).
Of course, one of my questions is why did the rules even allow such weak passwords? Seems that even seemingly benign accounts would carry risks associated with spam, disclosure, and dual use.
In any case, the Fraud Examiner story is here:
http://www.acfe.com/fraud-examiner.aspx?id=4294980736