Part 23 (1/2)
Issuing an infor ee that details security policies will not, by itself, ate your risk
Every business must not only define the rules ritten policies, but must make the extra effort to direct everyone orks with corporate information or computer systems to learn and follow the rules Furthermore, you must ensure that everyone understands the reason behind each policy so that people don't circunorance will always be the worker's excuse, and the precise vulnerability that social engineers will exploit
The central goal of any security awareness prograe their behavior and attitudes byevery eanization's inforreat motivator in this instance is to explain how their participation will benefit not just the company, but the individual employees as well Since the company retains certain private information about every worker, when employees do their part to protect infor their own inforra effort needs to reach every person who has access to sensitive infor, and must be continuously revised to update personnel on new threats and vulnerabilities Eeram That coive our blessings” ram must be backed up with sufficient resources to develop, communicate, test it, and to uideline that should be kept inand awareness progra in all eht be under attack at any time They ainst any atteain entry to computer systems or to steal sensitive data
Because y, it's too easy for e handled by firewalls and other security technologies A pri should be to create awareness in each employee that they are the front line needed to protect the overall security of the organization
Security trainingrules The training progra te their jobs done, to overlook or ignore their security responsibilities Knowledge about the tactics of social engineering and how to defend against the attacks is i is designed to focus heavily on e
The cooal if everyone cohly convinced and motivated by one basic notion: that information security is part of his or her job
Employees must coineering attacks is real, and that a serious loss of sensitive corporate inforer the company as well as their own personal infor careless about infor careless with one's ATM PIN or credit card nu enthusias and Awareness Progra the infornize that this is not a one-size-fits-all project Rather, the training needs to be developed to suit the specific requireroups within the enterprise While many of the security policies outlined in Chapter 16 apply to all employees across the board, many others are unique At a raers; IT personnel; computer users; non-technical personnel; aduards (See the breakdown of policies by job assign the infornize that this is not a one-size-fits-all project Rather, the training needs to be developed to suit the specific requireroups within the enterprise While many of the security policies outlined in Chapter 16 apply to all employees across the board, many others are unique At a raers; IT personnel; computer users; non-technical personnel; aduards (See the breakdown of policies by job assignment in Chapter 16) Since the personnel of a company's industrial security force are not ordinarily expected to be computer proficient, and, except perhaps in a very limited way, do not come into contact with coning training of this kind However, social engineers can deceive security guards or others into allowing the an action that results in a couard force certainly don't need the full training of personnel who operate or use computers, nonetheless they ram
Within the corporate world there are probably few subjects about which all employees need to be educated that are simultaneously as ined inforrams must both inform and capture the attention and enthusiasm of the learners
The aim should be toand interactive experience Techniques could include de; reviewing media reports of recent attacks on other less fortunate businesses and discussing the ways the co a security video that's entertaining and educational at the same time There are several security awareness companies that market videos and related materials
NOTE
For those businesses that do not have the resources to develop a progra co services Trade shows such as Secure World Expo (secureworldexpoco places for these companies The stories in this book provide plenty of ineering, to raise awareness of the threat, and to demonstrate the vulnerabilities in hu their scenarios as a basis for role-playing activities The stories also offer colorful opportunities for lively discussion on how the victims could have responded differently to prevent the attacks fro successful
A skillful course developer and skillful trainers will find plenty of challenges, but also plenty of opportunities, for keeping the classroom time lively, and, in the process, motivate people to beco A basic security awareness training program should be developed that all employees are required to attend New e as part of their initial indoctrination I recommend that no employee be provided computer access until he has attended a basic security awareness session
For this initial awareness and training, I suggest a session focused enough to hold attention, and short enough that the ies will be remembered
While the aer training, the i with a reasonable nuhs any notion of half-day or full-day sessions that leave people numb with too much information
The e an appreciation of the harm that can be done to the company, and to eood security work habits More i about specific security practices is the motivation that leads employees to accept personal responsibility for security
In situations where some employees cannot readily attend classroo awareness training using other for, online courses, or writtensession, longer sessions should be designed to educate employees about specific vulnerabilities and attack techniques relative to their position in the co should be required at least once a year The nature of the threat and the , so the content of the program should be kept up to date Moreover, people's awareness and alertness di must be repeated at reasonable intervals to reinforce security principles Here again the e employees convinced of the importance of security policies andspecific threats and social engineering ers must allow reasonable time for their subordinates to become familiar with security policies and procedures, and to participate in the security awareness program Employees should not be expected to study security policies or attend security classes on their own tiiven ample time to review security policies and published security practices prior to beginning their job responsibilities
Eanization to a job that involves access to sensitive information or computer systems should, of course, be required to coram tailored to their new responsibilities For example, when a computer operator becomes a systems administrator, or a receptionist beco is required
Training Course Contents When reduced to their funda attacks have the same common element: deception The victim is led to believe that the attacker is a fellow employee or some other person who is authorized to access sensitive inforive the victi actions with a computer or computer-related equipeted employee simply folloo steps: Verify the identity of the personthe request really who he claims to be?
Verify whether the person is authorized: Does the person have the need to know, or is he otherwise authorized to make this request?
NOTE
Because security awareness and training are never perfect, use security technologies whenever possible to create a system of defense in depth This y rather than by individual eured to prevent e software frouessed password
If awareness training sessions could change behavior so that each e any request against these criteria, the risk associated with social engineering attacks would be dramatically reduced
A practical inforra aspects should include the following: A description of how attackers use social engineering skills to deceive people
The ineers to acconize a possible social engineering attack
The procedure for handling a suspicious request
Where to report social engineering atteing anyone who ardless of the person's claimed position or importance
The fact that they should not ih their iive others the benefit of the doubt
The i the identity and authority of any persona request for information or action (See ”Verification and Authorization Procedures,” Chapter 16, for ways to verify identity) Procedures for protecting sensitive infor familiarity with any data classification system
The location of the company's security policies and procedures, and their importance to the protection of information and corporate information systems
A summary of key security policies and an explanation of theirFor example, every euess password
The obligation of every employee to comply with the policies, and the consequences for non-co by definition involves some kind of human interaction An attacker will very frequently use a variety of co to achieve his or her goal For this reason, a well-rounded awareness progra: Security policies related to computer and voicesensitive infor the safeguards to preventviruses, worms, and Trojan Horses
Physical security requiree
The responsibility to challenge people on the pree