The purpose of a security awareness program is to notify information system users about security policies, guidelines for acceptable use and business risks or technological hazards. This article discusses some components that should be included in a security awareness program including: policies, communication methods, and topics for ongoing communications with systems users.
• Develop written policies related to all aspects of security, and post to an employee handbook (hardcopy or intranet). Best security policies for end users include the “why” as well as the “what.”
• Include examples of the risks and the consequences to other users either in general, or specifically at your company. Policies must include consequences for serious or repeated violations.
• Ask users to read and understand the policies.
• Obtain written agreement that states that the users understand the policies and agree to abide by them. Without this framework, it is difficult to structure good communication to end users, and it is more difficult to achieve a high rate of compliance.
• Establish periodic communication with the end user community discussing the latest threats, how the organization is mitigating the risks, and what users can do to protect themselves and/or contribute to mitigating the risks. This can be accomplished by the following means:
Briefings. Briefings should be concise and provide a clear outline of requirements. A combination of verbal and written security briefings are favored.
Discussions. Discussions between small groups of users are recommended and encouraged.
Newsletters and staff bulletins. These should include security articles, puzzles, competitions, quizzes, cartoons, and case histories. Competitions with prizes are useful in motivating users toward good security.
Reminder notices. Notices placed on computer screens, electronic mail, and voice mail serve as useful reminders, but should be changed frequently to retain impact. Assorted security notices should be placed in the organization’s regular newsletter to promote information security.
Posters. Eye-catching posters attract the attention of users to basic security matters, and should be rotated frequently to retain impact.
Analysis of incidents. Analysis of incidents and risk assessments may be issued periodically. Where applicable, these matters should be brought to the attention of all users.
• Institute a “Management By Walking Around” policy. This is an effective way of alerting users that security is a high priority for management and that noncompliance has consequences. Desktop reviews should be performed on a continuous basis to look for workstation lockdown, passwords that are written down, and other security violations. A method of rewarding users who comply and for alerting those who don’t can be as simple as leaving a checklist of the security objectives, and how the user scored in complying with those objectives. This can be left-behind with some kind of nominal reward (chocolate, candy, soda, etc.)
• Designate a single point of contact to be used to report security violations to, and to answer security-related questions. This allows users to feel confident that if they discover a problem there is help and they know where to find it. A specific member of the Information Security team or Helpdesk is the logical choice for this role. Even if the designated team member only collects and escalates information, having a specific contact allows users to feel security needs are important enough to warrant a designated contact.
Topics for security policies and ongoing communication:
1. Password construction and management
The goal when choosing a password is to make it as difficult as possible for a cracker to make educated guesses about what has been chosen. This leaves him no alternative but a brute-force search, trying every possible combination of letters, numbers, and punctuation. A search of this sort, even conducted on a machine that could try one million passwords per second (most machines can try less than one hundred per second), would require on average over one hundred years to complete.
What Not to Use
• Don’t use your login name in any form (as-is, reversed, capitalized, doubled, etc.);
• Don’t use your first or last name in any form;
• Don’t use your spouse’s or child’s name;
• Don’t use other information easily obtained about you. This includes license plate numbers, telephone numbers, social security numbers, the brand of your automobile, the name of the street where you live etc.;
• Don’t use a password of all digits, or all the same letter. This significantly decreases the search time for a cracker;
• Don’t use a word contained in English or foreign language dictionaries, spelling lists, or other lists of words. If you type your password into a word processor and the spellchecker recognizes the word as a misspelling, it is a poor choice;
• Don’t use a password shorter than six characters.
What to Use
• Do use a password with mixed-case alphabetic characters;
• Do use a password with non-alphabetic characters, e.g., digits or punctuation;
• Do use a password that is easy to remember, so you don’t have to write it down;
• Do use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.
Choose Secure and Easy to Remember Passwords
• Choose a line or two from a song or poem, and use the first letter of each word. For example, “Get your kicks on Route 66.” becomes “GykoR6;”
• Alternate between one consonant and one or two vowels, up to eight characters. This provides nonsense words that are usually pronounceable, and thus easily remembered. Examples include “houtey,” “guatdop,” and so on;
• Choose two short words and concatenate them together with a punctuation character between them. For example: “cat;dog,” “page+turn,” “holy!moly.”
• Change your password often, at least every 60 days;
• Do not share your password with other users;
• Do not give out your password to anyone;
• Do not write down your password on paper (esp. on a yellow sticky note!) or store it on a computer;
• Do not use the same password for your Network that you use as a password for another computer system, such as your ATM card PIN number or as your password to a Web site on the Internet;
• Do not let anyone see you type in your password. Stop typing if you notice someone watching you;
• Make sure your password is not being compromised whenever you type it in. Some people add extra flourishes of their fingers and hands to hide their movements over the keyboard for any observers.
Passwords should be routinely cracked by authorized personnel, and weak passwords should be changed immediately. These results, communicated to the user group, reinforce how important security is to the company’s management.
2. Internet Usage
• Acceptable use policy is paramount regarding user access to the Internet. Usage should be monitored to the extent possible and violators of the company policy should be disciplined or terminated;
• Avoid downloading and running programs over the Internet from people or places that you don’t know or trust. It is safest to avoid executing any software downloaded from Internet unless it can be cryptographically verified;
• Internet access should never be left available when you are not at your desk. This protects you from someone else using your connection inappropriately.
3. Telephone Fraud
• Always identify caller’s numbers or extensions, where possible, via caller ID technology;
• Never disclose confidential information to an unknown party, especially login names and passwords. Company policy should forbid even legitimate parties from making phone requests for these items or have a very rigid call back policy or other safeguards;
• Report any suspicious calls to the appropriate individual for tracking to determine if the company has become a target for a scam. This allows a warning to be issued to others who may be at risk.
4. E-mail usage
• Don’t leave e-mail access open when you leave your desk. This allows malicious individuals to read your mail or send inappropriate mail to someone else in your name.
• Never disable antivirus software;
• Make sure the software is updated frequently;
• Do not install new programs without scanning them first, whether from a trusted source or not;
• Do not open unsolicited e-mail from unknown sources;
• Include latest virus alerts in communications to users.
6. Corporate workstation security
• Lock down workstations at all times either in a desk or cabinet or with a security cable;
• Do not leave laptops unsecured in hotel rooms or in the home;
• Never leave your lock key visible, in your top desk drawer or pencil holder. Keep your lock key on your person;
• Store your workstation in a locked credenza or drawer after hours and on weekends or take your laptop home with you – even if equipment is locked down it is still at risk when visible and unattended;
• Don’t check your laptop with luggage at the airport and stay with it when you go through airport security. Always keep your equipment in sight in airport terminals and hotel lobbies;
• Never leave equipment visible in your parked vehicle;
• If you need to place equipment in your automobile trunk for a short period of time, be sure you are not observed and that your vehicle doors are locked;
• Never leave equipment and diskettes exposed to extreme temperatures (below 50 or above 95 degrees);
• Never allow food or drink near any workstation hardware;
• Back up your data regularly to guard against permanent data loss. Delete any unused files and keep files not used frequently on the network, not your hard drive.