CYBER INFORMATION SECURITY
AWARENESS AND
PROTECTION PRACTICES
Strengthening Your Community at the
Organizational Level
Las Vegas, Nevada
2012
Security Awareness and Why is it Important?
In today’s economic climate, information is every organization’s most important asset and loss of it could be
catastrophic. Beyond the loss of the asset itself, a breach of an organization’s network can result in:
• Damage to organizational reputation
• Loss of revenue
• Assessment of fines and penalties
• Significant costs to restore and protect customer data
• Complete shutdown of business operations
Beyond the organization, the potential risk to network systems that provide community services such as
hospitals, financial institutions, or governments and public sector critical infrastructure; have the potential to
put an entire community at risk if compromised.
While no single solution will prevent every possible scenario, the protection of information as an asset is the
responsibility of everyone in the home, community, and organization from the top down. Every member is
part of the team and must take a leadership role for the protection of information and the systems that
manage information.
Building a strong Information Security Awareness Program is a key element that helps to ensure that
information in your care, and the system(s) which store, process or transport information remain accessible
and uncompromised. The person using the information is likely the weakest link in its protection and
therefore, promoting a strong awareness program is vital to protecting the community as a whole.
Information security includes cyber security and data security. Though some use these words
interchangeably, when discussing information security, each has specific issues regarding the protection of
different types of systems, data and information. An example of cyber security may be the systems used by a
train to switch from one track to another or a missiles guidance system. An example of data security is how
your computer and tablet store and discern one user’s ability to access data from another user. Information
security can include the paper copy of your bank statement or email correspondence you had with a friend.
Regardless of where on the security paradigm you sit, you are critical to the protection of your personal
information, your company’s email service and even your community’s ability to offer services. Your correct
use of an information software system can affect the continued use of other systems distant from you;
perhaps those of which you have no knowledge- sort of like sneezing and spreading the germs. Your mouse
clicks on an email link can launch an attack on a whole range of computer systems. Yes, your actions have
that potential.
Keeping with the sneezing analogy, protection of the community can be as simple as covering your mouth,
washing your hands and getting a flu shot. Or in the information security world, NOT mouse clicking on
unknown links, NOT sending unprotected information over email, and USING up-to-date virus software.
Information security is not easy to get your arms around. Bad guys are releasing new attacks and launching
social engineering schemes daily in an attempt to convince you to click on something. They are sitting near
you at your favorite Wi-Fi hotspot and, if you read the paper, the headlines will tell you how they are
launching “all out attacks” on our country and its infrastructure. Just like the sneeze, the community needs
your help to prevent the spread of the problem.
Information Security Myths- Hackers Are Not Interested In Me.
The following, Myths, are examples of why many organizations do not move forward with a strong cyber
security program. The end result could be devastating losses to the user, organization, customers and the
community.
1. Myth: Most hackers are kids in their teens just trying to give you a hard time.
False: Cybercrime is big business. The first generation of cybercriminals was certainly teenagers
seeking notoriety. From there, the cybercriminal evolved to a profit-motive using organized gangs with
increasing sophistication, and a full-fledged industry where malware is bought, sold and supported.
2. Myth: The biggest security threat for my company comes from hackers.
False: Published studies have shown that 50% to 80% of incidents resulting in significant financial loss
have come from insiders (mostly employees), who can do more harm because they know where the
sensitive data is located, system weaknesses and how to get the data.
3. Myth: Most hackers only attack big companies because that is where the money is.
False: Historically this has been true, but the trend has changed and attackers are now looking for
smaller easy targets where the discipline of information security is not well practiced.
4. Myth: Security solutions are expensive and cumbersome.
False: The biggest risk to your information and a company’s intellectual property is social engineering.
Social engineering is a method to gain information from individuals, usually by deception and when the
user unknowingly releases valuable information.
Providing your employees with awareness training in social engineering tactics and safe use of social
media is a low cost measure with a high value of return.
5. Myth: We hire a hacker once a year to perform a penetration test so we know our network is secure
and our data is safe.
False: Penetration tests are a snapshot in time of the security of your network, devices and PCs. Every
day, new viruses and vulnerabilities are introduced paving the way for opportunistic hackers. Ongoing
processes and procedures aligned with information security, best practices and awareness training are the
best ways to protect your data.
6. Myth: Anti-virus software and firewalls are all I need to protect my network.
False: Current anti-virus software and properly deployed firewalls are important tools that protect your
network and your information; however, they cannot guarantee that you will be protected from all
attacks. Since a new form of malware is released into the internet every 13 seconds, antivirus software
cannot keep up. At best, antivirus software is thought to only catch 30% of the viruses and malware that
is out there. Layered security, careful behavior by all users and keeping these technologies updated is the
best way to reduce your risk.
7. Myth: If a hacker penetrates my network we will detect it and can prevent any damage.
False: Studies have shown that hackers infiltrate and remain in networks for as long as 3-4 months
without detection before they are discovered. In some cases, it may be a third party, such as a customer,
who reports the compromise.
SO WHO IS THE BIG BAD WOLF?
A Brief Look at Cyber Data Security Threats
Threats and vulnerabilities to the safety of your information are growing quickly and new malware, hacks
and viruses are popping every minute. Typically, Big Bad Wolfs are usually those who seek personal gain
from your information.
The following are some of the more common threats to consider.
•
Employee Actions: Employees, whether intentionally or unintentionally, can open your network to
those whose intent is to do harm.
•
Malware and Viruses: Emails or websites containing malware intended to disrupt computer
systems can be opened inadvertently, due to a lack of awareness of the potential associated threats.
•
Spyware: This is typically malware loaded on your system by clicking on a link, and is used to gain
information as your system is used.
•
Hackers: Those who obtain financial and other information to sell on line, and/or for other personal
gain. Hackers may target specific companies, but mostly, systems are randomly searched for easy
entry points.
•
Hacktivist: This hacking has a different motive. Hacktivists target organizations that they disagree
with and want to stop the target’s ability to continue work, or to cause the organization
embarrassment. Politically or financially motivated, they are normally in opposition of the
organizations missions and goals.
•
Web-Page Take Over: This hacking is when someone else takes over control of your website, it
may be done as an act of cyber-espionage.
•
Cyber terrorists are typically groups whose goal is to disable the American economy by
interrupting business. These attacks are often targeted at large national organizations regardless of
the provided services.
•
Disgruntled Employees or Ex-Employees. The potential for those who would attempt to steal, and
defraud by accessing your information is a reason to remove their system access at the time of
termination or limit access to information not required.
•
Employees, who are involved with high risk activities often visit websites catering to such
activities. These sites commonly promote insecure practices and therefore those visiting these sites
are more apt to cause system problems.
•
Vendor and Outside Sales Representatives and Trainers. It is important to have information
security policies in place and limit access of third parties and contractors who access or support your
network.
•
Mobile Devices, Flashdrives and Social Media. These common mechanisms present potential risks
and must be considered in your information security awareness training and practices.
•
Phishing Emails. Posing as legitimate emails from your bank or other vendors, phishing emails are
in fact a false front for Identity Theft by asking for information such as passwords and/or account
numbers.
Awareness Campaigns
Awareness Campaigns:
The best awareness campaigns are simple; informational posters, flyers or emails heightening the awareness
of information security practices of an organization.
Employee Awareness, Training and Security Practices
1. New Employees: New employees should receive Information Systems Security Policies and training
during orientation and should be required to sign indicating their understanding and intent to comply.
2. Exiting Employees: Interview all outgoing employees, regardless of their position, to ensure any unique
passwords have been reported, and to insure that company data and property including devices are
returned. IT should immediately disable network, system and remote access for all terminated
employees, reset their passwords and develop a policy for the ongoing retention of that employee’s files
and data and the authorization required for others to access it.
3. Employees Who Leave Without Notice: In addition to the above measures for exiting employees, for
those who leave without notice, additional measures should be considered. Secure their computer, check
for system viruses or evidence of breaches and monitor the network for any attempts they may make to
access the network for several weeks following their departure.
4.
Vendors and Sub- Contractors: Establish a policy which requires their compliance to your security
rules and policies. Require a Non- Disclosure Agreement to protect privacy and information prior to
granting access to your information systems.
5. Employee Use Of Company Equipment: Policy should identify how and when company information
systems, to include cell phones are to be used and require safety practices.
6. Social Media Policy: Consider adopting a social media policy and ensure that employees are aware of
the risks presented through their use of social media.
7. Reporting: Ensure employees know what, when and how to report suspicious activities.
8. Record Keeping: Ensure your IT personnel keep a log of any suspected hacks, or other questionable
matters, for future investigations.
9. Polices on Changing and Sharing Passwords on Your Computers: Establishing how often
passwords should be updated; number of characters used in a password, and how those requests are
made of employees, will help keep everyone accountable. It is a good idea to keep an updated list of all
important or key passwords in a sealed envelope in a locked safe accessible only by senior management
in the event of an emergency.
10. Establish Standard Operations Polices: Ensure that employees know the organization’s standard
operating procedures for items which may put your network at risk. Some items to consider are:
• Phishing Emails
• Opening Attachments
• Identifying and handling questionable Emails
• Use of Personal/Vendor Flashdrives
11. Personal Computer/Mobile Devices: Accessing company emails or data remotely on a laptop or mobile
device places a significant risk to your organization. Ensure that you have a clear policy for employees
in the event of a breached. If you allow the remote access, ensure that employees are aware of potential
threats such as:
• Smart phones have the potential to be hacked.
• A warm cell phone while not in use may indicate a breach.
• There are programs that can remotely turn on a mobile device’s microphones and cameras
• Anti-Virus Software Updates: Personal laptops and mobile phones should have anti-virus
software. Ensure employees know their responsibility to keep it up-to-date
12. Cloud Storage and Online Tools: Many employees enjoy online tools; however, it is important for
them to realize, that many of those tools are in what is referred to as a cloud and the server is often
housed in another state or country. Remind employees that the use of cloud related products should be
approved prior to being used.
13. Reporting Procedures for Compromised Data or Possible Breaches: Ensure that every employee
knows that a suspected compromised system should be identified immediately, who to report it to, and
that a delay in notification can increase the damage.
14. Significant Breach’s that must be reported to Law Enforcement: Depending on your company’s
work and the severity of the breach, local law enforcement may need to be contacted. Companies should
know that in case such as child pornography, contacting law enforcement is required and the company
can be in jeopardy if contact is not made. Be sure to secure the computer until law enforcement arrives,
such computers should NOT be turned off as that will erase the cache memory; they should however be
disconnected from the network to avoid further damage.
15. Disaster and Recovery Planning: Having a plan in place and completing emergency drills will keep
you prepared in the event of an actual emergency and hopefully will minimize the downtime of your
business.
16. How Often Should I Train and How Do I Get It to Everyone: The frequency of awareness training is
based on your company’s information security risks. Training can be as simple as reminding of a single
security practice or learning about a new threat. Department staff meetings are a great way to update
multiple employees at one time. Based on position, employees can also attend local training seminar or
vendors meetings are valuable resources for providing low or no-cost training. In all cases, training
should be an ongoing activity regardless of the form.
REFERENCES
Cyber Security
Program Resources
Clark-Las Vegas
Community
Policy & Standards
SANS Institute Security Policy Project
www.sans.org/resources/policies/
National Security Agency (NSA)
Security Configuration Guides
http://www.nsa.gov/ia/mitigation_guidance/se
curity_configuration_guides/
National Institute of Standards and Technology
(NIST) Security Publications
http://csrc.nist.gov/publications/
Information Sharing
Multi-State Information Sharing and Analysis Center
(MS-ISAC)
http://www.msisac.org/
Department of Homeland Security (DHS)
Communication and Interoperability
Memorandums of Understanding Various Tools
http://www.safecomprogram.gov/
Information Systems Security Association (ISSA)
https://www.issa.org/
Defense Information Systems Agency (DISA)
Security Technical Implementation Guides
http://iase.disa.mil/stigs
ISACA
https://www.isaca.org/Pages/default.aspx
Federal
Great for Families
United States Computer Emergency Readiness
Team (US-CERT)
http://www.us-cert.gov
National Center for Missing and Exploited Children
www.netsmartz.org
DHS Critical Infrastructure / Key Resources
http://www.dhs.gov/files/programs/gc_118916894
8944.shtm
Common Criteria
http://www.commoncriteriaportal.org/
Forum of Incident Response & Security Teams
(FIRST)
http://www.first.org
Training
The Center for Infrastructure Assurance and Security
(CIAS)
www.ciastraining.com
The Texas Engineering Extension Service (TEEX)
www.teexwmdcampus.com/
The Cyberterrorism Defense initiative (CDI)
http://www.cyberterrorismcenter.org
National Cyber Security Alliance
http://www.staysafeonline.org/
Anti-Phishing Working Group
http://www.stopthinkconnect.org/
On Guard Online
www.onguardonline.gov
Federal Trade Commission Identity Theft – Deter,
Detect, Defend
http://www.ftc.gov/bcp/edu/microsotes/idtheft
Credit Monitoring
www.freecreditreport.com
www.annualcreditreport.com
One free credit report per year from three
credit reporting agencies