X
Tech

Top tips for security staff

There are some security practices every worker should be aware of. ZDNet Australia offers an easy step-by-step guide to make educating your employees easy.
Written by Stephen Withers, Contributor

There are some security practices every worker should be aware of. ZDNet Australia offers an easy step-by-step guide to make educating your employees easy.

Insight Focus
Passwords
Network and PC Hygiene
Mail
Printing and other media
Physical security

Ernst & Young's Global Information Security Survey 2004 involved interviews with more than 1230 organisations in 51 countries.

For them, lack of user awareness was regarded as the number one obstacle to achieving a good information security posture, yet only 28 percent of respondents listed "raising employee information security training or awareness" as being a top initiative for 2004.

What they did not realise, was that teaching staff some basic lessons in security awareness can be quite simple.

Here are some security tips you can give staff to heighten their security awareness.


Insight Focus
Introduction
Passwords
Network and PC Hygiene
Mail
Printing and other media
Physical security

Passwords
  • Strong passwords make a good starting point. The idea is to come up with something that is difficult to crack by both guesswork and by brute force, but at the same time is easy for you to remember.
    Avoid using single dictionary words, names or birthdays (especially those of family members or pets). One approach is to think of a phrase you can easily remember such as a line from a song. Take the first letter from each word to form a password, and then change some letters to similarly-shaped special characters. You can use the entire phrase, but the novelty soon wears off when you're typing it in for the tenth time in a morning.

  • Australian Standard AS 17799 recommends passwords be at least eight characters and contain a mix of characters and case. Hence "Mary Mary quite contrary, how does your garden grow?" might become "MMq<,hdygg?".< li="">

  • The value of a strong password is reduced if you don't log out or at least engage a screen saver lock when you're away from your computer. Those carrying out the majority of security breaches tend to have physical access to systems.
  • Once you do come up with a memorable password, don't write it down on a Post-It note that lives under your screen or the keyboard, or anywhere else for that matter.
    Keep in mind that while social engineering attacks (such as "this is Jim from IT, we're resetting all the passwords so I need to know your password, please" or bogus surveys), while not widespread in Australia, can still pose a risk. Remember, you might not know what the questioner already knows or will later be able to find out about you.

  • Change passwords regularly. Intervals of six to 12 weeks balance the inconvenience against potential exposure to threat. Make a note in your PDA or organiser of the dates on which you should attend to this. Bear in mind that other passwords (such as voicemail) are also valuable and staff should also be making efforts to keep them secure.

  • Lastly, if you have been given a security token for two-factor authentication never let anyone else use it.


Insight Focus
Introduction
Passwords
Network and PC Hygiene
Mail
Printing and other media
Physical security

Network and PC Hygiene
  • Don't connect a personally owned device to the corporate network either directly (say by plugging your laptop into the LAN) or indirectly (like syncing your PDA to a company PC) without prior approval). The IT department should be able to tell you what you need to do to comply with the organisation's security policy, such as installing and regularly updating approved antivirus and firewall software.

  • If personal firewall software is installed on your PC, your first reaction to a request to access the Internet should be "no".

    The notorious SQL Slammer and Blaster worms both needed permission to operate as servers. Unless you can clearly identify the program and you know it legitimately requires network access, block it. If in doubt, seek advice from the IT help desk.

  • Don't install unofficial wireless access points. An incorrectly configured access point can allow outsiders onto the network, potentially exposing confidential information and allowing an intruder to use corporate resources. And when using outside access points including those in homes and cafes, you should ensure WPA security is enabled.

  • When accessing corporate resources other than the public Web site from a remote PC (say from the home), you should get into the practice of installing antivirus and firewall software from a reputable vendor. Learn to use your automatic update function on your machine and keep the operating system and applications such as Office updated in the same way and install VPN software.

  • At all times leave the automatic update settings on company PCs the way they were configured by the IT department. They are set to provide the best protection while minimising the load on sitting on your organisation's Internet connection.

  • Do not install unauthorised software. If you gain approval for non-standard software, uninstall it if and when it is no longer needed. This frees up disk space, improves PC performance and eliminates possible dark corners where "net nasties" may hide.

  • Block file transfers in your instant messaging software. Just like e-mail attachments, they can be used to spread malware.

  • Keep clear of disreputable Web sites (you know what we mean!) as they may plant malicious code on your machine.

  • Tricking people into revealing passwords may be rare, but less unusual (judging by anecdotal evidence) are attempts to obtain passwords, as previously mentioned, via social engineering techniques. So if someone ostensibly "from the IT department" calls you and starts asking questions about your software or hardware configurations, or wants you to change some setting or other, offer to ring them back. But before you do, confirm with your help desk if the caller is genuine.


Insight Focus
Introduction
Passwords
Network and PC Hygiene
Mail
Printing and other media
Physical security

Mail
  • Corporate security is not impenetrable, so from time to time malicious e-mails will sneak through the organisation's spam and virus filters before vendors can provide the latest signatures. This is where your awareness becomes crucial -- you must know how to recognise these e-mails, and to treat them with extreme caution. Another problem is the emergence of "boutique malware", designed so it doesn't spread very far and may not come to the attention of antivirus vendors.

  • A first step is to resist viewing or replying to messages from questionable or unknown sources, or opening dubious attachments.

    If a message purports to come from a familiar e-mail address but the sender's name doesn't match the address, the subject contains apparently random words or characters, or the writing style doesn't match your correspondent's, treat the message with great suspicion and delete it. Do the same with anything that purports to a protestation of affection, a joke, a celebrity video or other non-business content. Several worms have used such tricks.

    Assume the worst: if it seems out of place, either delete the message immediately or call the apparent sender to confirm authenticity.

  • Don't follow links in e-mails -- type the URLs directly into the browser instead. This is a big ask seeing as people have been conditioned to click on links, and URLs can often be long and generally contain seemingly random sequences of characters.
    You're not really likely to retype long links, so one compromise is to copy and paste an address from an e-mail into the browser. You'll need to take care to avoid clicking on the link while doing so. While that handles the old trick of showing a "good" URL in the text but linking to a "bad" one, it offers no protection against the more recent Internationalised Domain Names (IDN)/homograph exploit that uses international characters closely resembling English letters to create domain names that appear familiar but are associated with bogus sites.

  • Phishing attacks, where people are tricked into visiting fake Internet banking (or similar) sites through seemingly genuine e-mails, are becoming more common.
    A recent development is "spearphishing" where the e-mail is designed to trick specific people within an organisation in order to gain access to confidential information by installing keyloggers or other malware. So be on your guard, even when e-mail apparently comes from within the organisation.

  • Finally, e-mail is not secure. If you have to use e-mail to send confidential information, use an approved encryption tool to protect the data in transit.


Insight Focus
Introduction
Passwords
Network and PC Hygiene
Mail
Printing and other media
Physical security

Printing and other media
  • You don't always need to print a document. If it is confidential, it may be better protected if it remains in electronic form.

  • When printing is necessary, don't print a confidential document to a "public" printer -- use a personal printer assigned only to you and others of similar clearance (such as finance staff only) that's in a similarly restricted or monitored area, or a printer that can hold a job in memory until the user enters a PIN on the front panel.

    Always collect the output promptly from the printer, and once you've finished with a confidential document, don't just throw it in the bin: shred it, or follow some other secure disposal procedure.

  • Do not transfer confidential documents to removable storage such as USB keys, CDs, or portable hard drives without first consulting the IT department about the measures needed to protect the data (such as encryption) and how it may be securely erased after use (say by shredding the CD).


Insight Focus
Introduction
Passwords
Network and PC Hygiene
Mail
Printing and other media
Physical security

Physical security
  • Without physical security most technological measures lose their value. If someone can steal a hard disk, they don't need a password to access it.

  • Take care not to leave sensitive information stored on a notebook or a PDA in the back of a taxi or other public place. Even if it is handed in, lost property may be auctioned after a matter of weeks.

  • Leaving a notebook or PDA in plain view in an unattended car is asking for it to be stolen.
  • Don't let anyone "tailgate" you through a security door, and don't let anyone into the premises just because they say they have lost their pass, or thye are making a delivery, or other any other excuse.
  • If you see someone tampering with or attempting to remove a piece of hardware from your workplace, politely challenge them. And if you're not comfortable with that, immediately contact building security.

The following people contributed to the suggestions in this article: Stephen Bell, product manager, enterprise, corporate and government, Lexmark Australia & New Zealand; Edwin Butler, practice director for technology infrastructure, and Chewy Chong, senior systems engineer, Avanade Australia; Ben English, security mobilisation lead, Microsoft Australia; Fred Felman, vice president of marketing, Zone Labs division, Check Point; Paul Macrae, business development manager, MessageLabs; Sebastian Moore, vice president, RSA Security; Oscar Moren, managing director, Pointsec Mobile Technologies; Paul Sproule, NSW security practice manager, Dimension Data
This article was first published in Technology & Business magazine.
Click here for subscription information.

Editorial standards