Security Awareness Fundamentals

By: (CISA, CISSP, CRISC)

Publication: The Kansas Banker , November 2013

Kansas Banker Magazine November 2013 My daughter started basketball season this week. During the parent and coaches meeting, the coaches talked about how they plan to focus on the fundamentals of basketball with our kids. Michael Jordan was quoted as saying; “When I was young, I had to learn the fundamentals of basketball. You can have all the physical ability in the world, but you still have to know the fundamentals.” Even he knew the importance of knowing the fundamentals.

Just like in basketball, to be successful with an information security program, we need to make sure our employees know and understand information security fundamentals. Without our people knowing and practicing these fundamentals, we cannot expect to succeed in providing a safe and secure computing environment.

Principles of Information Security

First, let’s define what we mean when we say information security. In general terms, information security refers to the confidentiality, integrity, and availability of information; sometimes referred to as the CIA triad. But, in terms of information security awareness training for employees, we are typically talking about training our users to protect information and defend from unauthorized access, use, disclosure, perusal, or destruction.

In this article, we will look at several fundamentals of information security awareness we need to instill in our employees. These fundamentals should be communicated through formal training and reinforced periodically throughout the year in meetings, emails, posters, etc.

Passwords

The primary way we protect information and authenticate access through computers is with passwords. Passwords act as the virtual keys to our electronic vault. Therefore, we must ensure our users are using strong, unique passwords. Here are a few quick tips to help strengthen the fundamental of using strong passwords:

  1. Use unique passwords. It is common news for us to hear a company’s site was compromised and passwords exposed. If people use similar passwords across applications and websites, then it is easier for perpetrators to compromise accounts. Therefore, it is best to use a unique password for each application or at least a unique password on critical sites.
  2. Use long passwords. While many people talk about complex passwords, and complex passwords are good, several recent studies have shown longer passwords can be much more difficult to crack than shorter complex passwords. An easy way to remember long passwords is to use a phrase, song, or combination of words you will remember. In addition, you can “salt it” with complexity by simply replacing certain letters with numbers or special characters (i.e. 1 for i, @ for a, etc.)
  3. Change your passwords. Eventually, it is reasonable to believe your password may be compromised, so it is always good to periodically change your password.

An option many people choose to securely store and organize passwords is through password management applications, like Secret Server, LastPass, or Password Safe. When considering these types of password vaults, it is import to ensure the product is secure, the company is reputable and your master password is strong.

Internet

The Internet is now the electronic highway to the world. We can get access to just about anything through the Internet, but this also means just about anybody may gain access to our system through the Internet. Below are a few security fundamentals to keep in mind when using the Internet:

  1. Be careful where you go. Malware can be installed on systems by simply visiting a website. While it is possible for legitimate websites to be compromised and host malware, it is much more common on illicit websites. Therefore, be careful where you go on the Internet.
  2. Secure sites. Users of the Internet need to understand if a site is sending/receiving information securely. The most common method is through Hypertext Transfer Protocol Secure (HTTPS). This is visible on the address line when a website starts with “https://” instead of just “http://”. In addition, some browsers offer other evidence of secure sites such as a padlock or changing the color of the address bar. Users should never enter confidential information (i.e. passwords, financial data, etc.) on websites that are not secure.
  3. Links and attachments. A common method used by attackers to gain access to our systems is called phishing. Phishing typically happens when miscreants send links or attachments in emails or messages that install malicious software or direct the user to compromised sites. It is best not to click on any attachments or links in an email you are not expecting. And even better, instead of clicking on links in an email, manually go to the sites it references.

Along with implementing good processes and technology solutions, regularly training our users on the fundamentals of information security awareness can greatly increase our overall information security.