Originally Published 2/25/15
As a Cyber Security Professional, what I want out of Security Awareness training is a change in end user behavior.
Unfortunately I have seen too many PowerPoints written by Security Professionals who are trying to impart some of their hard earned wisdom to their user community. Ask any parent of a teenager, wisdom has to be earned, it cannot be given.
Quite frankly, I don't care if the end users understand Confidentiality, Integrity, Availability (CIA), or Encryption or Firewalls or any of the stuff that we take for granted, as long as they reduce engaging in risky behaviors.
Below are 4 of the riskiest DON'TS, a critical DO and what I believe the user should understand is in italics.
A hugely risky behavior as the NSA / Snowdon episode shows is sharing credentials and there is NEVER a reason to give someone else YOUR ACTUAL credentials.
Don't share your user ID's & passwords with ANYONE.
No legitimate support person in any circumstance will ask for your ID AND Password.
If a support person needs to use your ID in order to "act as you" to troubleshoot a problem, they should reset your password before hand, and then you should change it AS SOON as the troubleshooting is complete.
If they DO ask for your password, BE SKEPTICAL, Feel free to say "I will not give you my password, however feel free to change it, and I'll change it again when we are done here".
The following behaviors happen because users take advantage of "convenience features" such as email attachments or embedded links. Security Awareness comes when users are willing to apply a little skepticism and trade a little of this convenience for manual effort.
Don't open "risky" attachments
Email attachments, especially executables, are still a viable method of infecting computers and these typically pose as delivery announcements from DHL, FEDEX or Password Change Requests from Facebook, or account information from Amazon.
If you receive an email from one of these companies, BE SKEPTICAL and you can verify the request by simply
Opening a new browser window, Type in the URL for the company website and follow the instructions on their website to complete whatever action was suggested in the email...
Don't click on "risky" links in web pages or emails
One of the biggest risks to infections these days is end users clicking on malicious links in emails. Typically posing as emails from banks, financial institutions, well known web sites, or even from friends, these links take you to a malicious version of the site and will try to download software or prompt you to install an "update", or simply ask you to fill out a form.
Again - the advice is the same, BE SKEPTICAL. If you get an email from a financial institution DO NOT CLICK IT, open a new browser, type in the URL for the companies web site and access your account that way.
If you did click, and the form prompts you for information (Social Security Numbers / Bank Account Information / Credit Card CVE numbers) BE SKEPTICAL, CLOSE THE BROWSER WINDOW
If it's from an institution where you DO NOT have an account then certainly DON'T EVER CLICK the link and delete the email.
Finally an example of people expecting "something for nothing"...
Don't insert USB drives / disks from any unknown person
There is no such thing as something for nothing. Finding a "free" usb drive in a parking lot, in the mail, in a conference room, even as a vendor give away should be treated with, yes you guessed it, SKEPTICISM.
It is very simple to infect a USB drive with "malware", software designed to relieve you of your money, or other critical information. Just the act of plugging in the drive can be all that's required to infect your machine.
That free 4GB usb stick is not worth anything, throw it away, or give it to your friendly Info Sec or Helpdesk Support team.
Do Be Skeptical
As an end user,
Believe that not everything is as it seems, if something seems too good to be true it probably is and you don't get something for nothing,
Believe that the Internet is the "wild west" and act accordingly to protect yourself
The key take away from Security Awareness Training should be a healthy dose of skepticism. If you become just 10% more skeptical, there are knock on effects in the reduction of infections and exposure of personal and company sensitive data.
Stop teaching end users about CIA, firewalls and encryption and teach them to be skeptics !!!!
Worried about wether or not your users are sceptical enough - then contact MXL Consulting to figure it out.