Ira Winkler - Security Awareness For Dummies

Do you remember the old term “death by a thousand cuts,” which refers to many small and seemingly inconsequential losses adding up to a major incident? It’s easy to ignore the small losses, but preventing small losses can frequently save an organization more money than preventing a large incident. When you create a security awareness program, you must consider all threats and determine whether the frequency of a small loss becomes worthy of expending limited awareness resources ( Chapter 8discusses this process in greater detail).

The types of threats that represent incidents resulting from non-human-related occurrences are events such as hurricanes, earthquakes, floods, and power outages. At the time I wrote this chapter, fires were ravaging California while two hurricanes bore down on the US Gulf Coast. These disasters will cost organizations billions of dollars. Even those organizations not directly affected by such disasters minimally suffer increased gasoline prices, which result in increased shipping costs.

Just as well-meaning people cause more damage than malicious actors, some threats result in more damage than most humans can imagine. Many of these threats are relatively small and localized, but more than enough are massive and have disastrous effects.

You probably can’t provide any awareness of value regarding the existence of natural disasters, but you can use these occurrences to motivate people to implement basic countermeasures. For example, data backups and the use of uninterruptible power supplies are critical to mitigate the damage from natural disasters.

Vulnerabilities are an organization’s weaknesses — they allow a threat to exploit your organization. Someone may want to harm your organization, but they can’t act on their intentions unless you provide vulnerabilities that they can exploit. Awareness is a countermeasure that addresses relevant vulnerabilities.

Here are the categories of vulnerabilities as I identify them:

Technical vulnerabilities: Weaknesses in technology that create loss.

Physical vulnerabilities: Allow physical access or otherwise allow for damage of physical resources to occur. For example, you can spill water on your computer and cause damage, or someone can walk into your office and steal the computer.

Personnel vulnerabilities: Involved in the hiring, maintaining, and separation of people. For example, you might hire people who are incapable of performing the job, or who may be criminals. Similarly, if you don’t have the right legal documents in place, you’re placing your organization at risk. Personnel vulnerabilities can involve direct employees or anyone with access to your information. Edward Snowden, for example, was not an NSA employee — but rather an employee of Booz-Allen, which was a contractor to NSA. His access allowed him to steal classified information and download that information onto USB drives that he carried out of the NSA facility.

Operational vulnerabilities: Involve weaknesses in how processes are designed and implemented. Do people do things that are secure or insecure? Are processes inherently secure or insecure? For example, some companies have posted too much information on websites. The now infamous Twitter hack of July 2020 involved a wide variety of operational weaknesses, where too many employees had access to the administrator tools, where employees gave up their credentials, and where it required only a single employee to reset passwords on accounts with more than 100 million subscribers, among a variety of other weaknesses.

Awareness is useful for addressing all categories of vulnerabilities. Awareness can help people know how to secure their technology and counter technical vulnerabilities. Awareness teaches people how to use and enforce physical protections. Awareness highlights operational procedures to implement policies and otherwise behave.

In the risk formula (see the earlier section “ The risk formula”), countermeasures are what you do or implement to mitigate threats or vulnerabilities. Most organizations cannot mitigate threats, however. Unless you’re a nation-state, you cannot stop terrorists, for example, from existing. You cannot stop a criminal from being a criminal. You cannot stop a hurricane from striking Florida.

Though you cannot address a threat, you can address the vulnerabilities that threats exploit. With a hurricane, for example, you might choose to locate facilities outside of hurricane zones. If you know that facilities might lose power from a wide variety of threats, you can address the vulnerability of nonresilient power sources by installing backup generators.

The primary purpose of countermeasures is specifically to mitigate vulnerabilities.

As with vulnerabilities, I divide countermeasures into the following categories — these categories correspond to the implementation type of the countermeasure, not the vulnerability it addresses:

Technical countermeasure: Mitigates vulnerabilities by using technical tools. A software tool used to fix a technical flaw is a technical countermeasure. Multifactor authentication is a technical countermeasure that can mitigate an operational weakness of poor security awareness as demonstrated by users who don’t know not to divulge their passwords. Awareness messages embedded in screen savers are also technical countermeasures.

Physical countermeasure: Uses physical tools, such as reminder signs, to mitigate vulnerabilities.

Personnel countermeasure: Involves tools that address the human resources (HR) process, such as a security awareness presentation into new hire orientation.

Operational countermeasure: Addresses how work is performed, which may also include the identification of governance. This may include how to properly identify callers asking for protected information.

Part 2

IN THIS PART …

Create a strategy to communicate your message and measure results.

Tailor your program to your organization’s culture.

Choose program topics that consider business drivers and other factors that motivate users.

Pick the comunications tools that work best for the users you need to reach.

Integrate metrics that show how awareness benefits your organization.

Текст предоставлен ООО «ЛитРес».

Прочитайте эту книгу целиком, купив полную легальную версию на ЛитРес.

Безопасно оплатить книгу можно банковской картой Visa, MasterCard, Maestro, со счета мобильного телефона, с платежного терминала, в салоне МТС или Связной, через PayPal, WebMoney, Яндекс.Деньги, QIWI Кошелек, бонусными картами или другим удобным Вам способом.