Gideon T. Rasmussen, CISSP, CISA, CISM, CIPP
Professional
Projects
Documents
Pictures
Web Site
 
SECURITY AWARENESS TIPS

VIRUSES

Viruses are frequently transmitted by e-mail. Some telltale signs are:

° Expressions of love
° Here's that file you wanted...
° Pornography
° Games or screensavers

Some virus messages are actually hoaxes, advising you to delete critical files or download infected software from a web site.

Viruses can send e-mail using a friend or coworker's system, effectively impersonating them.

Delete suspicious e-mail. When in doubt, consider whether the message has a legitimate business use. Do not open an attachment unless you are comfortable with the content of the rest of the message.

Anti-virus software uses stored virus definitions to detect and quarantine viruses. Virus definitions must be updated to defend against new viruses.

Your workstation has been configured to automatically download new definitions daily. Please do not interfere with the download or scanning processes.


WORKSTATION SECURITY

An unlocked workstation is a violation of security policy and leaves the system open to compromise.

Please configure a password-protected screen saver to lock after 10 minutes of inactivity:

1. Start > Settings > Control Panel
2. From the Control Panel, choose Display
3. From the Display window, click on the Screen Saver tab
4. From the screen saver drop down menu, choose a screen saver
5. In the Wait window, choose 10 minutes
6. Select "On resume, password protect"
7. Click OK to save the new configurations

You should also lock your workstation before leaving your desk:

1. Press Ctrl + Alt + Del
2. Click on "Lock Computer"

Both methods eliminate a period of vulnerability while the system is left unattended. The system can be unlocked by supplying your login ID and password.


TRUST YOUR INSTINCTS

When investigating a security incident, it is often discovered that people knew or suspected that something was going on before the incident occurred.

From time to time people may raise a false alarm and that's OK. It happens to security professionals occasionally and is to be expected.

Trust your instincts and use your best judgment. When you call to report an incident, provide as much detail as possible. The security group does not bite. ;-)


PASSWORDS

Hackers use software and word lists to automate password submittals. Source materials include dictionary files and lists of common names, characters, movies, etc. Using these methods, hackers can compromise weak passwords in under an hour.

Per company policy, passwords must be 8 characters and consist of 3 of the following elements:

° Upper case
° Lower case
° Numeric characters
° Special characters (i.e. * ! @ & )

The following password elements are prohibited:

° Common elements (i.e. words, names, sports, movies & shows, groups, songs, etc.)
° Elements relating to the user (i.e. user id, graduation, birthdays, phone numbers, SSN, pets, etc.)
° Keyboard patterns (i.e. 1q2w3e4r)
° Repeating patterns (i.e. ah*fJDS1, ah*fJDS2, etc.)

The following practices are prohibited:

° Recording user ids or passwords on paper
° Group accounts or shared passwords (passwords provide accountability, user to system)
° Distribution of passwords by e-mail or other insecure methods (i.e. fax)
° Use of the same password on multiple systems

Before distributing a password, positively identify the person and their need-to-know. Examples include:

° Confirmation by employee ID
° Checking drivers license against the company directory
° Calling back at the number listed in the directory
° Confirmation with a supervisor
° Confirmation with human resources

Passwords should be stored in password management software (i.e. eWallet or Password Safe).

Change your password at least every 6 months and whenever you suspect it has been compromised.

The help desk will not ask for your password. Report any attempts to obtain it to the security group.


CONTINUITY

Continuity is a key component to the success of any business. Single points of failure are a threat to continuity. Business depends on its employees to complete their duties. It also needs a reliable supply of goods and services. Its phone and IT systems must be highly available. Each employee must address continuity.

PERSONNEL CONTINUITY
Each critical function must have a primary and alternate formally assigned. Document mission essential procedures thoroughly. Documentation should be routinely updated and marked with the date of last revision.

RESOURCE CONTINUITY
Each department should consider the goods and services required to fulfill its mission. Verify that external organizations have methods to ensure reliable service/delivery in the event of equipment failure, supply chain issues, and emergencies such as natural disasters, terrorism, etc. If necessary, make legally binding backup agreements with separate providers.

PLANNING
Business continuity and disaster recovery should be addressed with comprehensive plans. Each department must contribute. Off-site storage and alternate work sites with phones and IT systems are also required. Verify your organization's state of preparedness by testing the plans at least annually.


CLEAN DESK POLICY

It is crucial to protect sensitive information from disclosure. Office space is frequented by visitors, consultants, vendors, cleaning crews, maintenance and fellow employees.

Please keep your workspace neat. If it is messy, you may not notice when something is missing. Throughout the day:

° Lock sensitive documents and computer media in drawers or filing cabinets
° Physically secure laptops with security cables
° Secure your workstation before walking away (Ctrl+Alt+Delete or windows key + l)

Do not post sensitive documents. Examples include:

° User IDs & Passwords
° IP addresses
° Contracts
° Account numbers
° Client lists
° Intellectual property
° Employee records
° Anything you wouldn't want disclosed

At the end of the day, take a moment to:

° Tidy up and secure sensitive material
° Lock drawers, file cabinets and offices
° Secure expensive equipment (laptops, PDAs, etc.)


DESTRUCTION OF SENSITIVE MATERIALS

Hackers and industrial spies have long used "dumpster diving" as a method for gathering sensitive information. Sensitive materials must be thoroughly sanitized before being discarded.

PAPER
Paper containing sensitive information must be shredded. Use high quality cross cut shredders to cut paper into fine/small pieces. Place shredders in common areas. Personal shredders should be purchased for employees that work daily with sensitive information.

CD-ROMS
CD-ROMs should be fed through a CD-ROM shredder. An alternative would be to snap CD-ROMs in half. The process of breaking a CD-ROM can send shards of plastic flying. The sharp edges of a broken CD-ROM can cut. A shredder is a better solution.

MAGNETIC MEDIA
Floppy disks and backup tapes should be opened and cut into small pieces. Hard drives should be over written 3 times with zeros and ones. Magnetic media containing extremely sensitive material should be sanitized with the magnetic field of a degaussing device. Degaussers can be expensive. As an alternative, disassemble each hard drive and sand the surface of its platters.


PHOTOGRAPHY

Photography has always been a threat to information security. Spy films highlight how easy it is to use a small camera to swipe confidential information. In just a moment of opportunity, a camera can be used to take information with no one the wiser. With digital cameras the size of a pack of cigarettes and cell phone camera combos, it is easier than ever to slip in a camera unnoticed.

In some cases visitors have stolen intellectual property by taking pictures on escorted tours. Visitors must never be permitted to take photographs. Do not leave visitors alone with sensitive materials, even for a moment.

Challenge anyone taking pictures in an unusual situation by asking "May I help you?" and following up with something like "What are the pictures for?". Immediately report any suspicious activity to the security group.


BACKUP YOUR DATA

Any files stored locally on your workstation will be lost in the event of a hardware failure. This includes your entire C drive and your workstation's desktop.

Store files on your personal network drive (X drive). It is backed up nightly. Use of your X drive also makes it possible to quickly replace your workstation for hardware and operating system upgrades.


SYSTEMATIC REMOVAL OF ACCESSES

Unauthorized access can cause serious damage to the organization. Disgruntled employees can use lingering accesses to enter systems or office space. Hackers can use inactive accounts to enter systems unnoticed. Potential damage includes theft of funds, equipment or intellectual property, disclosure of confidential information, and/or damage to property or personnel.

When an employee leaves their accesses must be immediately revoked. Human resources initiates systematic removal of accesses with the help desk and building security. When a consultant leaves, their supervisor must ensure accesses are removed. Employees must only have the accesses their position requires. When roles change, supervisors must rescind unneeded accesses.

The help desk goes to great lengths to track and rescind accesses. However, it is possible to overlook the extent of a user’s accesses. The typical user has more than network and voicemail access. There are remote accesses, custom applications, development servers, etc. Please take a moment to drop an e-mail to the help desk if you notice a former employee in the network e-mail address book, on a development server or elsewhere.

Each department has unique accesses that must also be addressed. Removal of access should be documented and routine. It should not require a meeting to lock down a section after someone has left. When an employee leaves, inform external organizations. Contact financial institutions, vendors, storage facilities and any other external organizations where the individual is listed as a point of contact. Update external contact lists and change authorization passwords.


LAPTOPS

The loss of a laptop can cause irreparable harm to the organization. Laptops must be secured and used responsibly to prevent compromise of sensitive information or unauthorized network access.

The IT department has taken measures to address the threats laptop users face. Your active involvement is critical to complete the equation:

° Laptop theft: When leaving a laptop unattended in a hotel room or office space, lock it to an unmovable or extremely heavy object using its security cable.
° System compromise: The operating system is hardened against attack.
° Patches: The help desk will periodically recall your laptop to install security patches.
° Network threats: Laptops are equipped with firewall software to defend against hacking attempts on public networks and the Internet.
° Viruses: Anti virus definitions must be updated weekly to be effective. Keep your definitions current to avoid a system outage while you are traveling.
° Theft of confidential files: In the event that your laptop is lost or stolen, sensitive files must be stored using file encryption software.
° Password compromise: Do not save passwords in files, web browsers, VPN clients or any other insecure software. Store passwords with encrypted password management software.
° Electrical surges: Protect your laptop from electrical spikes by plugging its power and modem connections into a surge protector.

The loss of a laptop is a serious security incident. In the event a laptop is lost or stolen, immediately contact the security group hotline at 123-456-7890.

If you need assistance with updating virus definitions, using file encryption or any other security features, please contact the help desk.


HOME COMPUTERS

Here are tips to secure your home computer and preserve data:

° Viruses: Install anti-virus software and configure it to automatically update its definitions every week.
° Internet threats: You should also have a firewall between your computer and the Internet. Firewall software has a small performance impact on your system. If you are using DSL or a cable modem, consider using a firewall appliance.
° Security vulnerabilities: New security vulnerabilities are discovered every day. Hackers write viruses to exploit them. Protect yourself by installing security patches at least every month.
° Password compromise: Do not save passwords in files, web browsers, VPN clients or any other insecure software. Store passwords with encrypted password management software.
° Theft of confidential files: Secure sensitive files with file encryption software.
° Electrical surges: Protect your systems from electrical spikes by plugging power and modem connections into a surge protector.
° Hardware failure: Periodically back up your files using removable media (i.e. a CDRW drive).


DON'T BE AFRAID TO SAY NO

Business culture is focused on customer service. The expression "the customer is always right" is well known. Social engineers take advantage of this. When encountering a bit of resistance, they will boldly press on. They may also impersonate a senior manager or claim to be from their office. In the military, this is known as "awe of rank". Don't fall for it.

When someone asks you to violate policy or procedure, hold firm and do what's right. Management will support your decision.

A social engineering attempt is a serious security incident. If you encounter a social engineer, take note of as many details as possible (i.e. the phone number from caller ID, background noise, the time, and the conversation). At the conclusion of the incident, immediately contact the security group hotline at 123-456-7891.


PIGGYBACKING & TAILGATING

Piggybacking occurs when an authorized person allows someone to follow them through a door to secure area.

Tailgating occurs when an unauthorized person slips in through a door before it closes.

Both practices are breaches of security. Locks and access cards are in place to protect the organization and its employees. Keep in mind that the person trying to follow you in may have been terminated recently.

Do not hold the door for anyone you do not know personally and make sure no one slips in behind you.

If you find a door that does not automatically close or has a broken lock, contact building security. If you find a door that is propped open, please close it.

Your efforts will help keep us all safe and secure. Thank you.


ROGUE WIRELESS NETWORKS

Wireless networks represent a way around the firewall. Hackers actively search for vulnerable wireless networks using a laptop equipped with a wireless card. This technique is referred to as "war driving" (versus war dialing for modems).

Wireless networking is still an emerging technology. The security components of the low-end models are not quite effective yet. The security of a wireless router is practically nonexistent if the encryption features are disabled.

Unauthorized wireless networks represent a serious threat to the security of the network. Rogue wireless routers will not be tolerated and may result in disciplinary action.

The security group will periodically check each site for compliance.


ELECTRONIC DEVICES

Unauthorized devices pose a significant threat to security. The use of electronic devices must be strictly controlled to prevent information leaks. With new devices being produced each year it is difficult to specifically address each one.

Personally owned devices which fall into these categories are prohibited on company grounds:

° Computer systems: Computer systems can be used to store sensitive data and may introduce viruses into the network. Handheld computer systems are of particular concern. They lack the security of their larger counterparts and their small size makes them easy to loose or steal. Anything that synchronizes to a workstation fits into this category. Examples include but are not limited to PCs, laptops, PDAs, electronic organizers and data watches.

° Recording devices: Audiovisual recording devices represent a threat for obvious reasons. Examples include digital cameras, PC cameras, video recorders and cell phone camera combos.

° Storage devices: Small storage devices and backup media can be used to transport large quantities of sensitive information. The IT department backs up files stored on networked personal drives and shared folders. Employees do not need to make their own backups. Examples of specific prohibited devices are zip drives, CDRW drives, and USB storage devices.

° Networking: Modems and wireless network devices must meet a business need and be approved, installed and maintained by the IT department. Do not use unapproved methods to remotely access company systems.

Consultants and visitors must be advised of these restrictions and monitored for compliance.

Company owned devices must be used responsibly:

° Sensitive data on laptops and PDAs must be encrypted. If either is lost or stolen, immediately report the incident to the security group.
° Be mindful of the background when using audiovisual recording equipment. Protect tapes in accordance with the sensitivity of the information. Avoid recording meetings.
° Store company owned electronic equipment under lock and key.


BUSINESS CONTINUITY

In the event of a disaster the initial recovery process takes roughly 1-2 days. During that time, systems are restored at a designated recovery site. The business continuity plan takes effect next.

Business units need to know what they can expect from the disaster recovery effort. They also need to be able to work independent of IT systems for whatever time is agreed upon for the disaster recovery process.

Each business unit must take an inventory of what they need to stay in business (identify dependencies). Take a hard look at the critical paperwork stored on-site. It gets more complicated... The business needs to identify critical suppliers and ensure that their contracts provide for disasters (i.e. a manufacturing plant won't function without a steady flow of parts). Human resources and accounting needs to be prepared too. Paychecks need to flow. Bills need to be paid. Emergency funds need to be available.

Each business unit must create and maintain a business continuity operations guide. Plan for both salvage and recovery teams.

Each year test both the disaster recovery and business continuity plans.


OPERATIONS SECURITY

Operations security (OPSEC) addresses the confidentiality of internal business processes and sensitive information. If OPSEC is breached, the compromise can be used to gain access, disrupt operations and/or for competitive advantage.

Adversaries may call many people throughout an organization, gathering small bits of internal information along the way (a name here, a term there). Before long, they have enough knowledge to impersonate an authorized user. Verify identity and distribute information based on a party's need-to-know. If someone is asking for internal information, verify his or her identity. If they don't have a need-to-know, the topic is none of their business (literally). Cite company policy as your reason for not disclosing the information.

Sensitive information can be deduced by gathering several pieces of public or uncontrolled information (aggregation and inference). For this reason, semi-sensitive information must be protected as well.

Take a hard look at what outsiders can learn from public sources and observing your operations. Web sites frequently the source of information leaks. Do not post semi-sensitive information in areas that are accessible to the public or visitors (i.e. lobbies, reception areas, conference rooms and office space). Examples of semi-sensitive information include:

° Organization charts
° Employee directories
° Store numbers
° Employee numbers
° Site locations
° Building blueprints
° Names of vendors or suppliers
° Approved processes for gaining access:
- Authorizing a visitor
- Obtaining an ID access card
- Obtaining a network, system or application account

Everyone throughout the organization must be aware of these threats and act accordingly to protect against them. Identify sensitive information in your area of responsibility (i.e. client lists or source code). Critically evaluate the how it is protected.


TRUST

Many security breaches can be traced back to improper trust relationships. Intruders or dishonest insiders discover these vulnerabilities and take advantage of them at their leisure. The damage can be severe from the loss of millions of dollars to the disclosure of sensitive information such as software code.

Trust relationships exist internally within an organization and extend to business partners and suppliers. Carefully examine trust relationships which pertain to finances, sensitive information and physical security.

Technical trust relationships include firewall rules and network segmentation. Roles within operating systems and applications must also be carefully configured to prevent compromise. For example, the assignment of roles within an accounting system should require separate roles to create an account and write a check. Monitor systems with intrusion detection and vulnerability assessment software.

Interpersonal trust relationships exist between coworkers. Trust is often extended to frequent visitors and delivery personnel as well. Social engineers know and exploit these weaknesses.

All trust relationships must be in accordance with company policies and procedures. Formal processes must exist to ensure that trust relationships are systematically rescinded once they are no longer required. Trust relationships and sensitive accesses must be routinely audited and reviewed.

Ask yourself, whom do I trust?


SECURITY INCIDENTS

In the event of a security incident, please remember the following guidelines:

1. Keep yourself and fellow coworkers safe. Personnel safety is the priority of /organization/.

2. As soon as an incident is discovered contact the following:

° Building security - 123-456-7890 - (only incidents pertaining to physical security)
° The security group - 123-456-7891 - (physical and computer security incidents)
° Your immediate supervisor

3. Take note of the incident's details. During an incident, things happen quickly and can fade from memory just as fast.

4. Keep the details of the incident confidential. Incident related information should only be disclosed to security and management personnel with a valid need-to-know.

Please keep this message available for reference in an emergency.

If you have any questions about this or any other security related issue, please contact the security group at 123-456-7891.


VISITOR ESCORT

Unescorted visitors represent a serious threat to the security of the organization.

Upon arrival, visitors must present a government issued ID card, sign a non-disclosure agreement and the visitor log. All items are subject to search. Laptops must be signed in and out.

Security will phone employees to inform them of a visitor's presence. Entry is not permitted until an escort arrives. Provide the guard with your employee ID card and sign for the visitor.

Visitors must be escorted at all times. Watch visitors closely. Small devices can be used to take pictures and store large amounts of sensitive data. If you need to step away, ensure that someone else accepts responsibility for watching the visitor. This includes escorting visitors back to the security desk. Frequent visitors must not receive special treatment. Instruct visitors to wear their visitor badges so that they can be easily identified.

At no time will a visitor be given access to the company network without formal authorization from the security group. Never let a visitor (or anyone else) borrow your access card. Tours of restricted areas are absolutely prohibited.

Visits should be confined to normal business hours. If a visitor needs to come in early or leave late, the security group must be notified. All other escort procedures apply.

If you see an unescorted person wearing a visitors badge or without an employee badge, ask "may I help you". Find out where they are going and make sure they get there. Report any suspicious activity to building security, followed immediately by the security group.


PERIMETER SECURITY

Perimeter security is critical to the safety and security of the organization. Once an intruder breaches this first layer, they become less conspicuous and an even greater threat.

Security personnel are trained to recognize potential threats and react accordingly. However they can not be in all places at all times. We must all do our part. Please be vigilant. Report any unusual activity:

° Those exhibiting suspicious behavior - Intruders often show signs of nervousness or anxiety.
° Covert use of a computer system - This includes company workstations, network jacks and laptops from within a parked vehicle.
° Surveillance - Surveillance is often the first step in an attempted breach of security. Photography is an obvious sign. Question new or hidden equipment in conference rooms, office space and wiring closets.
° Unattended bags or boxes in public areas

Help keep the outer perimeter secure by closing doors and windows tightly. If you find an access point that does not secure, report it to building security. The loss or theft of building access cards or parking passes are also a significant threat to security.

Report any unusual patterns of activity. When you suspect that something is not quite right, trust your instincts. You'll be glad you did.


SEPARATION OF DUTIES

Some of the largest security breaches in history can be attributed to one person having "the keys to the castle".

Separation of duties is required to secure valuables and sensitive information.

Here are a few real world examples:

° In information technology, the networking group controls the networking gear. The security group controls the intrusion detection software and the firewalls. The auditing group has read-only access and monitors the activity of the networking and security groups.
° In accounting, one person has the ability to add an account and another has the access to write checks.
° In banking, 2 people are required to open the vault.

Requiring 2 combinations to open a bank vault is also an example of two-person integrity (TPI). In order to breach security, the collaboration of 2 people is required.

Please consider whether the appropriate checks and balances exist in your area of responsibility. If they do not, please involve the security group. You can count on our professionalism and expertise.


NEED TO KNOW

Unauthorized disclosure of sensitive information represents a serious threat to the organization. Almost everyone has heard the expression "loose lips sink ships". The same level of damage can impact a business, resulting in lost revenue, decreased stock value and employee layoffs. A healthy dose of paranoia is warranted here.

Need-to-know is a concept of least privilege. Sensitive information is only provided to those that need it to perform their duties.

For some the requirements of need-to-know goes against their nature as intriguing conversations can be a welcome diversion from an otherwise boring day. Do not disclose sensitive information to friends, family or anyone who does not have a need-to-know.

Sensitive information includes but is not limited to:

° Internal reports
° Sales statistics
° Customer lists
° Trade secrets
° Financial earnings
° Business negotiations
° Security vulnerabilities
° Security incidents
° User ids and passwords
° Internal policies and procedures
° Employee directories

Unintentional disclosure can occur over the many distribution methods available today: web sites, client newsletters, databases, application software, files, printouts, e-mail, phone, voicemail, and face to face conversations. Each must be carefully controlled. One common mistake is forwarding internal e-mail to external parties with sensitive information attached in a file or buried at the bottom of a long string of messages. Internal e-mail addresses can leak out in this manner as well.

Carefully consider distribution of information to business partners, consultants and clients. In addition to meeting confidentiality and need-to-know requirements, ensure that all information is protected under a non-disclosure agreement.

Do not disclose sensitive information to coworkers unless they have a business related need-to-know. Key questions are "What are you using the information for?" and "Who will you share it with?".

When in public, resist the urge to "talk around" sensitive information. Social engineers have been known to frequent after hours hangouts to harvest information from employee conversations.

There may be penalties for disclosing sensitive information to unauthorized persons.


NOTE: These tips can displayed in random format (free download):
http://www.gideonrasmussen.com/sectips

   


Copyright © 2002 - 2008 Gideon T. Rasmussen All Rights Reserved.
Legal Notices