make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Developing an Effective Security Awareness Program: Malware, Wireless Security, and Safe Internet Browsing

01/19/2017  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Practice Leader of Risk Services

Share

Social Logo Social Logo Social Logo Social Logo

As mentioned in the preceding article, Developing an Effective Security Awareness Program: Physical Security, Password Security, and Phishing, one of the greatest threats to a company’s information security comes from within. 

Though, it is true that disgruntled personnel have been known to intentionally conduct malicious behavior, it is far more common for employees to unintentionally behave insecurely while performing their daily tasks.  Given the increasing sophistication in the never ending barrage of scams and tactics utilized by cybercriminals, an unaware, poorly trained employee will undoubtedly cause a security incident in due time.

With the ever present need for regulatory standard compliance, security awareness programs have been implemented on a growing scale; however, often these programs are designed quickly and with the intent of meeting the bare minimum requirements. The purpose of implementing a security awareness program should not be to simply meet requirements. The purpose is to provide employees with a solid core of security knowledge so they may make the most informed decisions possible.

It is recommended that the effectiveness of implemented security programs be determined and tracked as the program evolves to meet the needs and demands of the company and cyber world. Tracking statistics of security incidents prior to and after training assists in continuous improvements and highlights potential gaps in security training.  Just as importantly, ever improving security incident statistics which correlate to the ever improving security awareness program provide understanding and garner support from management.

An effective security awareness program must have a variety of communication methods, include a range of security topics, and be routinely communicated to users on a far more repetitive cycle than the typically required annual basis.  The more often employees are presented with security information in an interesting and engaging format, the more likely they are to retain the information. 

In the previous article, the awareness training aspects of physical security, password security, and phishing were discussed.  Three more equally important topics to be covered here are: malware, wireless security, and safe Internet browsing.

Malware

It is no secret that the general public considers the terms “malware” and “virus” to be synonymous.  Even more so, often times the only familiar term to a user is “virus.”  It has been mentioned upon several occasions by IT security personnel that when the terms malware, Trojans, worms, etc. are used in communications with the general user, the user has no clue what these terms mean and the seriousness of the situation can never be fully conveyed.

When security personnel are losing valuable time attempting to define terms and explain why a security incident is critical, they can no longer focus all of their attention on stopping the critical incident and preventing data loss.  If everyone in a company, including all management and subordinates, receive a thorough security education including defining the terms malware, virus, Trojan, worm, spyware, and adware, the security personnel will no longer need to lose hours attempting to explain basic terms in order to communicate the criticality of a situation.

Furthermore, if employees are aware of these terms, their definitions, and the potential impact they may have on a business, they will be better capable of making security conscious decisions while performing daily tasks.

Download LBMC's Ransomware Protection Checklist

Wireless Security

Users with devices capable of connecting to wireless networks should be made aware of the hazards associated with connecting to unknown, unapproved wireless networks.  As David Murphy explains in a PC World article, Open Wireless Networks: Just Say No!, open, wireless networks can be cyber-traps. “You might fall victim to harmless pranking from an industrious network owner who filters your traffic over to a separate wireless network to invert all the pictures on web pages you visit. Or you might run afoul of a nefarious networker who has set up a honey pot … to capture the packets of data exchanged between you and an unsecured website.”

Jack Wright developed a program known as “I Love My Neighbors.”  This program is relatively harmless and is meant to cause aggravation and confusion as a playful prank without gaining profit.  The program will perform numerous pranks as the user attempts to surf the Internet over an open wireless connection, including inverting the screen, redirecting links, and slowly blurring the screen tricking the user into believing something is wrong with his vision.  A link to Jack Wright’s presentation explaining “I Love My Neighbors” can be found here.

Not all wireless network trickery is harmless.  As mentioned before, a network capturing data packets is not harmless.  Moreover, “It (an open wireless network) could be man-in-the-middle-type setup that uses a server to log each and every bit of information you send through the compromised network. It could include rogue DNS records that lure you to a fake version of a popular website (e.g., Facebook). You think you’re logging into the real deal but you’re actually transmitting your credentials to a ne’er-do-well with some networking chops. Woe to the web surfer who uses similar login/password combinations for every site registration!”

Although to the security professional, this information is obvious and represents a true danger; to others it may not be so apparent.  After all, what does a compromised Facebook account, or better yet, a personal email account have to do with the security of the company?  Users have a tendency to utilize the same or similar passwords for all logins. 

Moreover, valuable information can be harvested from these accounts about employees and the companies for which they work.  With this reconnaissance of information, a cybercriminal could learn sensitive information about the company or impersonate the employee causing substantial damage to the business. Given the importance of using only secure, approved wireless networks, employees must be trained to do so and should be educated in the consequences of accessing those wireless networks which are unapproved.

Safe Internet Browsing

Lurking in the wilds of the World Wide Web, malware runs rampant and cybercriminals lay in wait with traps and trickery designed to target and manipulate users into disclosing sensitive information and/or compromising their systems.

Avoiding Internet content laden with malware may seem intuitive to those in the information security field, though all of us have fallen victim at one point or another, but to the everyday user, avoiding this content is typically not at the forefront of their minds and certainly is not instinctual. A thorough security education must include training employees in safe Internet browsing. 

Employees tend to operate under the assumption that because anti-virus is installed on their workstations, they are impervious to malware, but this simply is not true.  Keeping operating systems and applications current on critical patches and updating anti-virus signatures are two of several best practice methods employed to prevent a compromised system. However, even the most up-to-date systems and anti-virus software can be bypassed by the latest and greatest exploits.  This is where educated and thoughtful Internet browsing comes into play.

Employees with access to the Internet need to be made aware of the potential hazards associated with visiting unknown and unapproved websites, and they need to understand that if a site is blocked, it is most likely blocked for a very good reason.

Conclusion

Creating a solid information security awareness program covering malware, wireless security, and safe Internet browsing in addition to physical security, password security, and phishing is a step in the right direction of arming company personnel against cybercriminals.

An effective security awareness program must consist of a variety of communication methods, cover a range of topics, and be regularly communicated to users on a repetitive cycle throughout the year.  Importantly, the more often employees are presented with security information in an interesting and engaging format, the more likely they are to retain the information and better protect the company from a painful security breach.

The LBMC Information Security team can help you assess your risks and ensure that your security efforts produce the greatest benefit and have the most effective impact.

References: http://www.pcworld.com/article/225221/dlink_open_wireless_network.html