Welcome to day 5 of Cyber Security awareness month.
You won’t find much argument in the Security community that people are the generally considered to be the weakest link. White, grey and black hats take full advantage of this at times, to verify, test or exploit. Phishing and SPAM are just two profit making examples of social engineering and no doubt we can all come up with more or less embarrassing examples. But what we really need to start thinking about is how we deal with this in the corporate environment as well as at home.
- Information classification – Classify your information, stipulate how things are to be handled and what can and can’t be talked about, copied, emailed and so on. Once people become familiar with the classifications and follow the guidelines, you should find that loose lips no longer sink ships.
- Policy –We all get those phone calls where someone asks about your servers, firewalls, etc. Have a policy in place to outline who deals with those kinds of things. A bit too obvious, but the sentence “don’t tell anyone your password” should also appear in your policy.
- More Policy - make sure you cover disposal of things such as CDs/DVD, hard disks etc. Many a company or government department has been inconvenienced in the press because of one of this. (thanks Craig for the tip).
- Get a shredder, preferably a cross cut one (might want to start thinking about one of these for at home as well)
- Teach staff to challenge people they don’t recognise (politely of course).
- Put up a poster next to doors, “check badges”, “Watch for tail gating”.
- Provide Phishing education.
- Teach people to pick up their printouts and faxes from the various stations
- Don’t click on links (yep some people need to be reminded)
- Just for fun (with permission of course) set up a targeted “SPAM” attack on your own organisation. See how many people will click the link.
- Have a dumpster auction. Go down and collect some of the papers in your corporate dumpster (the one not used for secure shredding) and see what you can find. Then publish the info (suitably anonymised). You’d be amazed what you can find.
- Watch for people who “just” want to fix a printer urgently.
So plenty of room left for some of your tips, send them in and I’ll collate them at the end of the shift.
Might even include one or two “war” stories, but they have to be good.
Mark - Shearwater
Oct 5th 2007