Security Awareness -2023
What is Security Awareness?Let’s start with a clear understanding of the three different types of learning activities that organizations use, whether for information security or for any other purpose:Education: The overall goal of education is to help learners improve their understanding of these ideas and their ability to relate them to their own experiences and apply that learning in useful ways.Training: Focuses on building proficiency in a specific set of skills or actions, including sharpening the perception and judgment needed to make decisions as to which skill to use, when to use it, and how to apply it. Training can focus on low-level skills, an entire task, or complex workflows consisting of many tasks.Awareness: These are activities that attract and engage the learner’s attention by acquainting them with aspects of an issue, concern, problem, or need.You’ll notice that none of these have an expressed or implied degree of formality, location or target audience. (Think of a newly hired senior executive with little or no exposure to the specific compliance needs your organization faces; first, someone has to get their attention and make them aware of the need to understand. The rest can follow.)Security Awareness Examples -2023Let’s look at an example of security awareness training by using an organization’s strategy to improve fire safety in the workplace:Education may help workers in a secure server room understand the interaction of the various fire and smoke detectors, suppression systems, and alarms and their interactions with electrical power, lighting, and ventilation systems.Training would provide those workers with task-specific, detailed learning about the proper actions each should take in the event of an alarm, a suppression system going off without an alarm, a ventilation system failure, or other contingencies. This training would build on the learning acquired via the educational activities.Awareness activities would include not only posting the appropriate signage, and floor or doorway markings but also other indicators to help workers detect an anomaly, respond to an alarm and take appropriate action. In this case, awareness is a constantly available reminder of what to do when the alarms go off.Translating that into an anti-phishing campaign might be done by:Education may be used to help select groups of users better understand the ways in which social engineering attacks are conducted and engage those users in creating and testing their own strategies for improving their defensive techniques.Training will help users increase their proficiency in recognizing a potential phishing or similar attempt, while also helping them practice the correct responses to such events. Training may include simulated phishing emails sent to users on a network to test their ability to identify a phishing email.Raising users’ overall awareness of the threat posed by phishing, vishing, SMS phishing (also called “smishing), and other social engineering tactics. Awareness techniques can also alert selected users to new or novel approaches that such attacks might be taking.Let’s look at some common risks and why it’s important to include them in your security awareness training programs.PhishingThe use of phishing attacks to target individuals, entire departments, and even companies is a significant threat that the security professional needs to be aware of and be prepared to defend against. Countless variations on the basic phishing attack have been developed in recent years, leading to a variety of attacks that are deployed relentlessly against individuals and networks in a never-ending stream of emails, phone calls, spam, instant messages, videos, file attachments, and many other delivery mechanisms. Phishing attacks that attempt to trick highly placed officials or private individuals with sizable assets into authorizing large fund wire transfers to previously unknown entities are known as whaling attacks.Social EngineeringSocial engineering is an important part of any security awareness training program for one very simple reason: bad actors know that it works. For cyber attackers, social engineering is an inexpensive investment with a potentially very high payoff. Social engineering, applied over time, can extract significant insider knowledge about almost any organization or individual. One of the most important messages to deliver in a security awareness program is an understanding of the threat of social engineering. People need to be reminded of the threat and types of social engineering so that they can recognize and resist a social engineering attack. Most social engineering techniques are not new. Many have even been taught as basic fieldcraft for espionage agencies and are part of the repertoire of investigative techniques used by real and fictional police detectives. A short list of the tactics that we see across cyberspace currently includes:Phone phishing or vishing: Using a rogue interactive voice response (IVR) system to re-create a legitimate-sounding copy of a bank or other institution’s IVR system. The victim is prompted through a phishing email to call the “bank” via a provided phone number to verify information such as account numbers, account access codes or a PIN and to confirm answers to security questions, contact information and addresses. A typical vishing system will reject logins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems may be used to transfer the victim to a human posing as a customer service agent for further questioning.Pretexting: The human equivalent of phishing, where someone impersonates an authority figure or a trusted individual in an attempt to gain access to your login information. The pretext may claim to be an IT support worker who is supposed to do maintenance or an investigator performing a company audit. Or they might impersonate a coworker, the police, the tax authority, or some other seemingly legitimate person. The goal is to gain access to your computer and information.Quid pro quo: A request for your password or login credentials in exchange for some compensation, such as a “free gift,” a monetary payment, or access to an online game or service. If it sounds too good to be true, it probably is.Tailgating: The practice of following an authorized user into a restricted area or system. The low-tech version of tailgating would occur when a stranger asks you to hold the door open behind you because they forgot their company RFID card. In a more sophisticated version, someone may ask to borrow your phone or laptop to perform a simple action when he or she is actually installing malicious software onto your device.Social engineering works because it plays on human tendencies. Education, training, and awareness work best to counter or defend against social engineering because they help people realize that every person in the organization plays a role in information security.Password ProtectionWe use many different passwords and systems. Many password managers will store a user’s passwords for them so the user does not have to remember all their passwords for multiple systems. The greatest disadvantage of these solutions is the risk of compromising of the password manager. These password managers may be protected by a weak password or passphrase chosen by the user and easily compromised. There have been many cases where a person’s private data was stored by a cloud provider but easily accessed by unauthorized persons through password compromise. Organizations should encourage the use of different passwords for different systems and should provide a recommended password management solution for its users. Examples of poor password protection that should be avoided are:Reusing passwords for multiple systems, especially using the same password for business and personal use.Writing down passwords and leaving them in unsecured areas.Sharing a password with tech support or a co-worker.
Read More
