Raising Security Awareness. in Employees. I N F O T E C H

1
Raising Security Awareness in Employees
I N F O - T E C H D I G I T A L
P R E S E N T A T I O N
insert date
2
Raising Security Awareness in Employees

• Summary
• While perimeter defenses are critical to
  protecting our systems from outside attack,
  attention must be placed on security threats that
  come from within.
• Its important to raise security awareness in all
  employees because most security breaches are
  caused inadvertently by staff.

3
Raising Security Awareness in Employees

• Did your organization experience an unauthorized
  use of its computer systems in the last 12
  months?
  

Source Computer Security Institute, June
2004n481 computer security practitioners in the
U.S.
4
Raising Security Awareness in Employees

• Types of attacks or misuse detected in the last
  12 months

Source Computer Security Institute, June
2004n481 computer security practitioners in the
U.S.
5
Raising Security Awareness in Employees

• According to META Group, the cost of damages from
  a security breach is 290,000 per company in
  2004.
  
• In May 2004 alone, the damage due to the
  proliferation of malicious software is estimated
  at between 16.2 billion and 19.8 billion
  worldwide.
• Survey respondents estimates show that
  denial-of-service attacks surpassed intellectual
  property theft as the most costly attack type.
  
• The third most costly type of attack was insider
  Web abuse, followed by abuse of wireless
  networks, financial fraud, and laptop theft.
  

6
Raising Security Awareness in Employees

• Number of security incidents reported, 1993 to
  2003

Source CERT, 2003
7
Raising Security Awareness in Employees

• Social Engineering What Is It?

• Social Engineering is a method that hackers use
  to manipulate and deceive employees in order to
  gain sensitive or confidential information such
  as
• Personal employee fact or passwords.
• Names of important servers.
• Other key data (e.g. IP addresses).

8
Raising Security Awareness in Employees

• Social Engineering How Is It Done?

• Impersonating an employee and pretending to have
  forgotten a password.
  
• Posing as an authority figure to extract valuable
  information from company employees that are
  afraid or unable to confirm the legitimacy of the
  authority.
• Posing as a repairman or contractor to gain
  physical access to an organization and steal
  information or access the network through an
  available workstation.

9
Raising Security Awareness in Employees

• Building a fake Web site that requires users to
  register with their user name and password to
  access information.
  
• "War mumbling," which involves calling employees
  and mumbling or speaking in a thick accent when
  asked for ID authentication until the user
  finally gives up the password information out of
  sheer frustration.
• Gaining trust through seemingly innocent
  conversations, then sending an e-mail attachment
  with a backdoor exploit.

10
Raising Security Awareness in Employees

• We Dont Want to Play Big Brother
• No one wants to monitor every action of a user,
  but many security breaches are created
  internally. Incidents of this kind come in a
  variety of forms
• Opening infected e-mail attachments.
• Forgetting to log off or lock workstations.
• Disclosing passwords.
• Installing unauthorized software.

11
Raising Security Awareness in Employees

• Disclosing private customer data.
• Leaving a public-facing door unlocked.
• Forgetting to set the alarm at night.
• Loaning your laptop to someone else.
• Surfing questionable Web sites.
• Losing your key card and not reporting it
  missing.
  
• Any other failure to comply with company security
  policies.
  

12
Raising Security Awareness in Employees

• Well Do Our Part
• In addition to fostering a corporate culture that
  embraces security, company name intends to do
  the following
  
• Solidify and strengthen all enterprise security
  systems and technologies.
  
• Establish formal practices and support.
• Invest in security training programs.

13
Action Plan
14
Raising Security Awareness in Employees

• How You Can Help! At the end of the day, its you
  who can make a real difference in security.
  
• Keep confidential documents locked up.
• Dont leave private information in the
  photocopier, fax machine, etc.
  
• Change your password frequently use a
  combination of letters and numbers.
  
• Never let ANYONE know your password.
• Store all files on the network, not your PCs
  hard drive.
  
• Encrypt or password-protect sensitive e-mails.

15
Raising Security Awareness in Employees

• Always lock your PC when you are not at your desk
  (Ctrl Alt Delete).
  
• Always log off and shut down your PC when you
  leave for the night.
  
• Always ask IT for permission before downloading
  software.
  
• Never post sensitive company information or
  client information to blogs, Web bulletin
  boards, etc.

16
Raising Security Awareness in Employees

• How We Plan to Measure Effectiveness.
• Conduct periodic security tests to promote and
  measure the program's success.
  
• Create a security documents section in the
  intranet that will include policies, procedures,
  and FAQs on security.
  
• Employ power users to help you out and foster
  security awareness.

17
Raising Security Awareness in Employees

• How We Plan to Communicate.
• We will keep the lines of communication open so
  that you can ask IT about security when youre
  unsure.
  
• We will provide updates on existing and future
  security initiatives.
  
• We will set up a graphic security "barometer" to
  display the organization's current security
  status.

18
Raising Security Awareness in Employees

• How We Plan to Stay Flexible. What is considered
  a security best practice today might be obsolete
  tomorrow. The security awareness program takes
  into account such factors as
• Changing business models and/or objectives.
• The introduction of new technologies.
• Emerging security threats and/or new viruses.
• The growth of the network and the user base.

19
Raising Security Awareness in Employees

• How We Plan to Enforce Security. Because security
  is so critical to our business operations,
  enforcement may be necessary.
  
• Consistently failing security tests may result in
  disciplinary action.
  
• Policies will contain stiffer penalties for
  infractions.
  
• Deliberate security violations will be dealt with
  to the fullest extent of the law.

20
Raising Security Awareness in Employees

• Bottom Line
• Security is a challenge, made more difficult by
  human fallibilities.
  
• An awareness program will strengthen the security
  chain and empower you to make a real difference.

21
Questions?