SECURITY AWARENESS TIPS
are frequently transmitted by e-mail. Some telltale signs
Expressions of love
° Here's that file you wanted...
° Games or screensavers
virus messages are actually hoaxes, advising you to delete
critical files or download infected software from a web
can send e-mail using a friend or coworker's system, effectively
suspicious e-mail. When in doubt, consider whether the message
has a legitimate business use. Do not open an attachment
unless you are comfortable with the content of the rest
of the message.
software uses stored virus definitions to detect and quarantine
viruses. Virus definitions must be updated to defend against
workstation has been configured to automatically download
new definitions daily. Please do not interfere with the
download or scanning processes.
unlocked workstation is a violation of security policy and
leaves the system open to compromise.
configure a password-protected screen saver to lock after
10 minutes of inactivity:
1. Start > Settings > Control Panel
2. From the Control Panel, choose Display
3. From the Display window, click on the Screen Saver tab
4. From the screen saver drop down menu, choose a screen
5. In the Wait window, choose 10 minutes
6. Select "On resume, password protect"
7. Click OK to save the new configurations
should also lock your workstation before leaving your desk:
Press Ctrl + Alt + Del
2. Click on "Lock Computer"
methods eliminate a period of vulnerability while the system
is left unattended. The system can be unlocked by supplying
your login ID and password.
TRUST YOUR INSTINCTS
investigating a security incident, it is often discovered
that people knew or suspected that something was going on
before the incident occurred.
time to time people may raise a false alarm and that's OK.
It happens to security professionals occasionally and is
to be expected.
your instincts and use your best judgment. When you call
to report an incident, provide as much detail as possible.
The security group does not bite. ;-)
use software and word lists to automate password submittals.
Source materials include dictionary files and lists of common
names, characters, movies, etc. Using these methods, hackers
can compromise weak passwords in under an hour.
company policy, passwords must be 8 characters and consist
of 3 of the following elements:
° Lower case
° Numeric characters
° Special characters (i.e. * ! @ & )
following password elements are prohibited:
Common elements (i.e. words, names, sports, movies &
shows, groups, songs, etc.)
° Elements relating to the user (i.e. user id, graduation,
birthdays, phone numbers, SSN, pets, etc.)
° Keyboard patterns (i.e. 1q2w3e4r)
° Repeating patterns (i.e. ah*fJDS1, ah*fJDS2, etc.)
following practices are prohibited:
Recording user ids or passwords on paper
° Group accounts or shared passwords (passwords provide
accountability, user to system)
° Distribution of passwords by e-mail or other insecure
methods (i.e. fax)
° Use of the same password on multiple systems
distributing a password, positively identify the person
and their need-to-know. Examples include:
Confirmation by employee ID
° Checking drivers license against the company directory
° Calling back at the number listed in the directory
° Confirmation with a supervisor
° Confirmation with human resources
should be stored in password management software (i.e. eWallet
or Password Safe).
your password at least every 6 months and whenever you suspect
it has been compromised.
help desk will not ask for your password. Report any attempts
to obtain it to the security group.
is a key component to the success of any business. Single
points of failure are a threat to continuity. Business depends
on its employees to complete their duties. It also needs
a reliable supply of goods and services. Its phone and IT
systems must be highly available. Each employee must address
Each critical function must have a primary and alternate
formally assigned. Document mission essential procedures
thoroughly. Documentation should be routinely updated and
marked with the date of last revision.
Each department should consider the goods and services required
to fulfill its mission. Verify that external organizations
have methods to ensure reliable service/delivery in the
event of equipment failure, supply chain issues, and emergencies
such as natural disasters, terrorism, etc. If necessary,
make legally binding backup agreements with separate providers.
Business continuity and disaster recovery should be addressed
with comprehensive plans. Each department must contribute.
Off-site storage and alternate work sites with phones and
IT systems are also required. Verify your organization's
state of preparedness by testing the plans at least annually.
CLEAN DESK POLICY
is crucial to protect sensitive information from disclosure.
Office space is frequented by visitors, consultants, vendors,
cleaning crews, maintenance and fellow employees.
keep your workspace neat. If it is messy, you may not notice
when something is missing. Throughout the day:
Lock sensitive documents and computer media in drawers or
° Physically secure laptops with security cables
° Secure your workstation before walking away (Ctrl+Alt+Delete
or windows key + l)
not post sensitive documents. Examples include:
User IDs & Passwords
° IP addresses
° Account numbers
° Client lists
° Intellectual property
° Employee records
° Anything you wouldn't want disclosed
the end of the day, take a moment to:
Tidy up and secure sensitive material
° Lock drawers, file cabinets and offices
° Secure expensive equipment (laptops, PDAs, etc.)
DESTRUCTION OF SENSITIVE MATERIALS
and industrial spies have long used "dumpster diving"
as a method for gathering sensitive information. Sensitive
materials must be thoroughly sanitized before being discarded.
Paper containing sensitive information must be shredded.
Use high quality cross cut shredders to cut paper into fine/small
pieces. Place shredders in common areas. Personal shredders
should be purchased for employees that work daily with sensitive
CD-ROMs should be fed through a CD-ROM shredder. An alternative
would be to snap CD-ROMs in half. The process of breaking
a CD-ROM can send shards of plastic flying. The sharp edges
of a broken CD-ROM can cut. A shredder is a better solution.
Floppy disks and backup tapes should be opened and cut into
small pieces. Hard drives should be over written 3 times
with zeros and ones. Magnetic media containing extremely
sensitive material should be sanitized with the magnetic
field of a degaussing device. Degaussers can be expensive.
As an alternative, disassemble each hard drive and sand
the surface of its platters.
has always been a threat to information security. Spy films
highlight how easy it is to use a small camera to swipe
confidential information. In just a moment of opportunity,
a camera can be used to take information with no one the
wiser. With digital cameras the size of a pack of cigarettes
and cell phone camera combos, it is easier than ever to
slip in a camera unnoticed.
some cases visitors have stolen intellectual property by
taking pictures on escorted tours. Visitors must never be
permitted to take photographs. Do not leave visitors alone
with sensitive materials, even for a moment.
anyone taking pictures in an unusual situation by asking
"May I help you?" and following up with something
like "What are the pictures for?". Immediately
report any suspicious activity to the security group.
BACKUP YOUR DATA
files stored locally on your workstation will be lost in
the event of a hardware failure. This includes your entire
C drive and your workstation's desktop.
files on your personal network drive (X drive). It is backed
up nightly. Use of your X drive also makes it possible to
quickly replace your workstation for hardware and operating
SYSTEMATIC REMOVAL OF ACCESSES
access can cause serious damage to the organization. Disgruntled
employees can use lingering accesses to enter systems or
office space. Hackers can use inactive accounts to enter
systems unnoticed. Potential damage includes theft of funds,
equipment or intellectual property, disclosure of confidential
information, and/or damage to property or personnel.
an employee leaves their accesses must be immediately revoked.
Human resources initiates systematic removal of accesses
with the help desk and building security. When a consultant
leaves, their supervisor must ensure accesses are removed.
Employees must only have the accesses their position requires.
When roles change, supervisors must rescind unneeded accesses.
help desk goes to great lengths to track and rescind accesses.
However, it is possible to overlook the extent of a user’s
accesses. The typical user has more than network and voicemail
access. There are remote accesses, custom applications,
development servers, etc. Please take a moment to drop an
e-mail to the help desk if you notice a former employee
in the network e-mail address book, on a development server
department has unique accesses that must also be addressed.
Removal of access should be documented and routine. It should
not require a meeting to lock down a section after someone
has left. When an employee leaves, inform external organizations.
Contact financial institutions, vendors, storage facilities
and any other external organizations where the individual
is listed as a point of contact. Update external contact
lists and change authorization passwords.
loss of a laptop can cause irreparable harm to the organization.
Laptops must be secured and used responsibly to prevent
compromise of sensitive information or unauthorized network
IT department has taken measures to address the threats
laptop users face. Your active involvement is critical to
complete the equation:
Laptop theft: When leaving a laptop unattended in a hotel
room or office space, lock it to an unmovable or extremely
heavy object using its security cable.
° System compromise: The operating system is hardened against
° Patches: The help desk will periodically recall your
laptop to install security patches.
° Network threats: Laptops are equipped with firewall software
to defend against hacking attempts on public networks and
° Viruses: Anti virus definitions must be updated weekly
to be effective. Keep your definitions current to avoid
a system outage while you are traveling.
° Theft of confidential files: In the event that your laptop
is lost or stolen, sensitive files must be stored using
file encryption software.
° Password compromise: Do not save passwords in files,
web browsers, VPN clients or any other insecure software.
Store passwords with encrypted password management software.
° Electrical surges: Protect your laptop from electrical
spikes by plugging its power and modem connections into
a surge protector.
loss of a laptop is a serious security incident. In the
event a laptop is lost or stolen, immediately contact the
security group hotline at 123-456-7890.
you need assistance with updating virus definitions, using
file encryption or any other security features, please contact
the help desk.
are tips to secure your home computer and preserve data:
Viruses: Install anti-virus software and configure it to
automatically update its definitions every week.
° Internet threats: You should also have a firewall between
your computer and the Internet. Firewall software has a
small performance impact on your system. If you are using
DSL or a cable modem, consider using a firewall appliance.
° Security vulnerabilities: New security vulnerabilities
are discovered every day. Hackers write viruses to exploit
them. Protect yourself by installing security patches at
least every month.
° Password compromise: Do not save passwords in files,
web browsers, VPN clients or any other insecure software.
Store passwords with encrypted password management software.
° Theft of confidential files: Secure sensitive files with
file encryption software.
° Electrical surges: Protect your systems from electrical
spikes by plugging power and modem connections into a surge
° Hardware failure: Periodically back up your files using
removable media (i.e. a CDRW drive).
DON'T BE AFRAID TO SAY NO
culture is focused on customer service. The expression "the
customer is always right" is well known. Social engineers
take advantage of this. When encountering a bit of resistance,
they will boldly press on. They may also impersonate a senior
manager or claim to be from their office. In the military,
this is known as "awe of rank". Don't fall for
someone asks you to violate policy or procedure, hold firm
and do what's right. Management will support your decision.
engineering attempt is a serious security incident. If you
encounter a social engineer, take note of as many details
as possible (i.e. the phone number from caller ID, background
noise, the time, and the conversation). At the conclusion
of the incident, immediately contact the security group
hotline at 123-456-7891.
PIGGYBACKING & TAILGATING
occurs when an authorized person allows someone to follow
them through a door to secure area.
occurs when an unauthorized person slips in through a door
before it closes.
practices are breaches of security. Locks and access cards
are in place to protect the organization and its employees.
Keep in mind that the person trying to follow you in may
have been terminated recently.
not hold the door for anyone you do not know personally
and make sure no one slips in behind you.
you find a door that does not automatically close or has
a broken lock, contact building security. If you find a
door that is propped open, please close it.
efforts will help keep us all safe and secure. Thank you.
ROGUE WIRELESS NETWORKS
networks represent a way around the firewall. Hackers actively
search for vulnerable wireless networks using a laptop equipped
with a wireless card. This technique is referred to as "war
driving" (versus war dialing for modems).
networking is still an emerging technology. The security
components of the low-end models are not quite effective
yet. The security of a wireless router is practically nonexistent
if the encryption features are disabled.
wireless networks represent a serious threat to the security
of the network. Rogue wireless routers will not be tolerated
and may result in disciplinary action.
security group will periodically check each site for compliance.
devices pose a significant threat to security. The use of
electronic devices must be strictly controlled to prevent
information leaks. With new devices being produced each
year it is difficult to specifically address each one.
owned devices which fall into these categories are prohibited
on company grounds:
Computer systems: Computer systems can be used to store
sensitive data and may introduce viruses into the network.
Handheld computer systems are of particular concern. They
lack the security of their larger counterparts and their
small size makes them easy to loose or steal. Anything that
synchronizes to a workstation fits into this category. Examples
include but are not limited to PCs, laptops, PDAs, electronic
organizers and data watches.
Recording devices: Audiovisual recording devices represent
a threat for obvious reasons. Examples include digital cameras,
PC cameras, video recorders and cell phone camera combos.
Storage devices: Small storage devices and backup media
can be used to transport large quantities of sensitive information.
The IT department backs up files stored on networked personal
drives and shared folders. Employees do not need to make
their own backups. Examples of specific prohibited devices
are zip drives, CDRW drives, and USB storage devices.
Networking: Modems and wireless network devices must meet
a business need and be approved, installed and maintained
by the IT department. Do not use unapproved methods to remotely
access company systems.
and visitors must be advised of these restrictions and monitored
owned devices must be used responsibly:
Sensitive data on laptops and PDAs must be encrypted. If
either is lost or stolen, immediately report the incident
to the security group.
° Be mindful of the background when using audiovisual recording
equipment. Protect tapes in accordance with the sensitivity
of the information. Avoid recording meetings.
° Store company owned electronic equipment under lock and
the event of a disaster the initial recovery process takes
roughly 1-2 days. During that time, systems are restored
at a designated recovery site. The business continuity plan
takes effect next.
units need to know what they can expect from the disaster
recovery effort. They also need to be able to work independent
of IT systems for whatever time is agreed upon for the disaster
business unit must take an inventory of what they need to
stay in business (identify dependencies). Take a hard look
at the critical paperwork stored on-site. It gets more complicated...
The business needs to identify critical suppliers and ensure
that their contracts provide for disasters (i.e. a manufacturing
plant won't function without a steady flow of parts). Human
resources and accounting needs to be prepared too. Paychecks
need to flow. Bills need to be paid. Emergency funds need
to be available.
business unit must create and maintain a business continuity
operations guide. Plan for both salvage and recovery teams.
year test both the disaster recovery and business continuity
security (OPSEC) addresses the confidentiality of internal
business processes and sensitive information. If OPSEC is
breached, the compromise can be used to gain access, disrupt
operations and/or for competitive advantage.
may call many people throughout an organization, gathering
small bits of internal information along the way (a name
here, a term there). Before long, they have enough knowledge
to impersonate an authorized user. Verify identity and distribute
information based on a party's need-to-know. If someone
is asking for internal information, verify his or her identity.
If they don't have a need-to-know, the topic is none of
their business (literally). Cite company policy as your
reason for not disclosing the information.
information can be deduced by gathering several pieces of
public or uncontrolled information (aggregation and inference).
For this reason, semi-sensitive information must be protected
a hard look at what outsiders can learn from public sources
and observing your operations. Web sites frequently the
source of information leaks. Do not post semi-sensitive
information in areas that are accessible to the public or
visitors (i.e. lobbies, reception areas, conference rooms
and office space). Examples of semi-sensitive information
° Employee directories
° Store numbers
° Employee numbers
° Site locations
° Building blueprints
° Names of vendors or suppliers
° Approved processes for gaining access:
- Authorizing a visitor
- Obtaining an ID access card
- Obtaining a network, system or application account
throughout the organization must be aware of these threats
and act accordingly to protect against them. Identify sensitive
information in your area of responsibility (i.e. client
lists or source code). Critically evaluate the how it is
security breaches can be traced back to improper trust relationships.
Intruders or dishonest insiders discover these vulnerabilities
and take advantage of them at their leisure. The damage
can be severe from the loss of millions of dollars to the
disclosure of sensitive information such as software code.
relationships exist internally within an organization and
extend to business partners and suppliers. Carefully examine
trust relationships which pertain to finances, sensitive
information and physical security.
trust relationships include firewall rules and network segmentation.
Roles within operating systems and applications must also
be carefully configured to prevent compromise. For example,
the assignment of roles within an accounting system should
require separate roles to create an account and write a
check. Monitor systems with intrusion detection and vulnerability
trust relationships exist between coworkers. Trust is often
extended to frequent visitors and delivery personnel as
well. Social engineers know and exploit these weaknesses.
trust relationships must be in accordance with company policies
and procedures. Formal processes must exist to ensure that
trust relationships are systematically rescinded once they
are no longer required. Trust relationships and sensitive
accesses must be routinely audited and reviewed.
yourself, whom do I trust?
the event of a security incident, please remember the following
Keep yourself and fellow coworkers safe. Personnel safety
is the priority of /organization/.
As soon as an incident is discovered contact the following:
Building security - 123-456-7890 - (only incidents pertaining
to physical security)
° The security group - 123-456-7891 - (physical and computer
° Your immediate supervisor
Take note of the incident's details. During an incident,
things happen quickly and can fade from memory just as fast.
Keep the details of the incident confidential. Incident
related information should only be disclosed to security
and management personnel with a valid need-to-know.
keep this message available for reference in an emergency.
you have any questions about this or any other security
related issue, please contact the security group at 123-456-7891.
visitors represent a serious threat to the security of the
arrival, visitors must present a government issued ID card,
sign a non-disclosure agreement and the visitor log. All
items are subject to search. Laptops must be signed in and
will phone employees to inform them of a visitor's presence.
Entry is not permitted until an escort arrives. Provide
the guard with your employee ID card and sign for the visitor.
must be escorted at all times. Watch visitors closely. Small
devices can be used to take pictures and store large amounts
of sensitive data. If you need to step away, ensure that
someone else accepts responsibility for watching the visitor.
This includes escorting visitors back to the security desk.
Frequent visitors must not receive special treatment. Instruct
visitors to wear their visitor badges so that they can be
no time will a visitor be given access to the company network
without formal authorization from the security group. Never
let a visitor (or anyone else) borrow your access card.
Tours of restricted areas are absolutely prohibited.
should be confined to normal business hours. If a visitor
needs to come in early or leave late, the security group
must be notified. All other escort procedures apply.
you see an unescorted person wearing a visitors badge or
without an employee badge, ask "may I help you".
Find out where they are going and make sure they get there.
Report any suspicious activity to building security, followed
immediately by the security group.
security is critical to the safety and security of the organization.
Once an intruder breaches this first layer, they become
less conspicuous and an even greater threat.
personnel are trained to recognize potential threats and
react accordingly. However they can not be in all places
at all times. We must all do our part. Please be vigilant.
Report any unusual activity:
Those exhibiting suspicious behavior - Intruders often show
signs of nervousness or anxiety.
° Covert use of a computer system - This includes company
workstations, network jacks and laptops from within a parked
° Surveillance - Surveillance is often the first step in
an attempted breach of security. Photography is an obvious
sign. Question new or hidden equipment in conference rooms,
office space and wiring closets.
° Unattended bags or boxes in public areas
keep the outer perimeter secure by closing doors and windows
tightly. If you find an access point that does not secure,
report it to building security. The loss or theft of building
access cards or parking passes are also a significant threat
any unusual patterns of activity. When you suspect that
something is not quite right, trust your instincts. You'll
be glad you did.
SEPARATION OF DUTIES
of the largest security breaches in history can be attributed
to one person having "the keys to the castle".
of duties is required to secure valuables and sensitive
are a few real world examples:
In information technology, the networking group controls
the networking gear. The security group controls the intrusion
detection software and the firewalls. The auditing group
has read-only access and monitors the activity of the networking
and security groups.
° In accounting, one person has the ability to add an account
and another has the access to write checks.
° In banking, 2 people are required to open the vault.
2 combinations to open a bank vault is also an example of
two-person integrity (TPI). In order to breach security,
the collaboration of 2 people is required.
consider whether the appropriate checks and balances exist
in your area of responsibility. If they do not, please involve
the security group. You can count on our professionalism
NEED TO KNOW
disclosure of sensitive information represents a serious
threat to the organization. Almost everyone has heard the
expression "loose lips sink ships". The same level
of damage can impact a business, resulting in lost revenue,
decreased stock value and employee layoffs. A healthy dose
of paranoia is warranted here.
is a concept of least privilege. Sensitive information is
only provided to those that need it to perform their duties.
some the requirements of need-to-know goes against their
nature as intriguing conversations can be a welcome diversion
from an otherwise boring day. Do not disclose sensitive
information to friends, family or anyone who does not have
information includes but is not limited to:
° Sales statistics
° Customer lists
° Trade secrets
° Financial earnings
° Business negotiations
° Security vulnerabilities
° Security incidents
° User ids and passwords
° Internal policies and procedures
° Employee directories
disclosure can occur over the many distribution methods
available today: web sites, client newsletters, databases,
application software, files, printouts, e-mail, phone, voicemail,
and face to face conversations. Each must be carefully controlled.
One common mistake is forwarding internal e-mail to external
parties with sensitive information attached in a file or
buried at the bottom of a long string of messages. Internal
e-mail addresses can leak out in this manner as well.
consider distribution of information to business partners,
consultants and clients. In addition to meeting confidentiality
and need-to-know requirements, ensure that all information
is protected under a non-disclosure agreement.
not disclose sensitive information to coworkers unless they
have a business related need-to-know. Key questions are
"What are you using the information for?" and
"Who will you share it with?".
in public, resist the urge to "talk around" sensitive
information. Social engineers have been known to frequent
after hours hangouts to harvest information from employee
may be penalties for disclosing sensitive information to
NOTE: These tips can displayed in random format (free download):