Users: The Weakest Link
OK, here is where I am going to risk getting in trouble. It’s National Cyber Security Awareness Month, like every October since 2003 when the program started. I work at a company that provides solutions that help companies enhance their security posture but I am not going to tell you to buy a new box, widget, device or service in this post. I am actually going to recommend something that can be done for free or very inexpensively, and that is:
TRAIN YOUR USERS
Users really are the weakest link in any security program. Sure, it is possible to do high effort things like find exploits that will get you through a firewall, but why blast a hole thru a concrete wall full of rebar when you can just have someone let you in instead?
Here are some of the things to train your users on:
- Passwords – great source of debate, with Bill Burr having apologized for all the pain created by NIST SP 800-63 which advised complex passwords with a mix of capitals, lowers, numbers, special characters and the like. This in combination with policies requiring frequent change of password has resulted in less security, rather than more. Take a walk around your office – how long does it take you to find a password on a stickynote stuck to a monitor. So, the guidance would be to have reasonable, rational password requirements in place and teach your employees how to comply and make sure they understand the importance of not sticking those stickynotes to their monitors.
- Avoiding the Social Hack. Here is a great video from DEF_CON where Kevin Mitnick and Dave Kennedy illustrate how fast and easy social engineering exploits can be. You should teach your people to never give out passwords and that IT or any other legitimate person should never ask for them. You should also train your people to not trust unknown people on the phone regardless of what they claim or who they say they are. Remember the infamous HB Gary hack? Big part of that was Anon getting HB Gary folks to hand over credentials.
- Keep Clean, Keep Patched. It should go without saying that you should not go to Bad Places on the net and in particular that you should not download questionable software from such places. That said, were you to still be inclined to do such things, you should not do them with the work laptop. Another aspect of reducing risk is to keep your system updated regardless of operating system.
- Removable Media. USB sticks can be convenient, especially on the road. While most people are smart enough to not use a USB stick they find on the floor at BlackHat, it is worth reinforcing the importance of using common sense with removable media. Indeed, sometimes even trusted sources make mistake, as seen in this case.
- Physical Security. Once something like a laptop is out of your physical control, you have a real problem. With compliance efforts like HIPAA having grown formidable teeth, it is more important than ever to consider physical security as part of your overall plan. Need proof? Stolen laptops lead to important HIPAA settlements.
- Encryption. So you didn’t pay attention to item 5 above and left your laptop in your passenger seat in full view when parked on the street in The Tenderloin. You come back from that avocado toast and PBR only to find your car window smashed and your laptop gone. What’s the one thing that might save you? Running encryption – instructions for MacOS and Windows 10.
Anyway, security is often said to be best considered as a systemic effort rather than a point solution and as such all parts of the system need to be included. Some of the easiest yet hardest to address components are the users. Easiest as they can do things on their own and most really do want to do the right thing yet hardest as they require ongoing training. However, if you take the time to do company-wide training you can make a significant difference with regards to your overall security posture and you don’t even have to buy another box or subscription!