Part 2: Employee Security
In Part 2 of this series, we’re going to discuss employee information security and what kind of processes and standards should be followed in order for an employee to protect their data assets within an organization. In Part 1 we discussed personal information security and steps that should be taken together to make it much harder for data to be stolen. Some of those steps translate into the workplace as well, such as password security, multi-factor authentication, and device encryption.
Employee security means not only protecting one’s self in the workplace from data theft or corruption, but it also means that you’re responsible for protecting company assets to a certain degree. In this context, the consequences of neglecting security practices within your organization can range anywhere from formal reprimand to termination, and can have wide-reaching impacts on the organization when it comes to reputation, client data, etc.
Social Engineering, in the context of information security, is the manipulation of people into performing actions or giving up information. It’s also the basis of most “con” methodologies, but is usually just a small piece in a grander puzzle for exfiltrating data from an organization’s systems. An organization’s awareness of what types of attacks to expect and knowledge of what the hacker’s want to gain from your system are beneficial to enhancing your overall security program.
Social engineering can be done remotely through phishing attempts via email (described later), phone calls, or mock webpages that try to steal your credentials or in-person through the use of clever tactics to play the role of some worker that needs access to sensitive systems / areas. The primary goal of social engineering is to gather intelligence on an organization, its employees, and processes for handling visitors and breaches as part of both the reconnaissance phase and gaining access phase of the hacking lifecycle. The end-goal in most social engineering activities is to gain at least one set of credentials with elevated access privileges such as an administrator account, or at the very least a power user account with which to access the system at a later time.
Giving out personally identifiable information or sensitive company information through things like phone calls is another valid form of social engineering. A recent twitter post by another infosec community member stated that she heard an employee at a company blatantly give out a credit card number clear as day over the phone; including the expiration date and security code. This kind of information disclosure can be incredibly damaging to a company and as an employee, you need to be cognizant of who can hear or see sensitive data any time you access it.
There’s also plenty of opportunity for onsite social engineering. As an employee, it’s your job to be paranoid and cautious of people who come into your workplace. The front-desk receptionist needs to vet anyone who walks in the front door before they’re allowed any further into the facility. Once the visitor is confirmed and authorized, they should be accompanied at all times, by an employee of the department they’re visiting, to reduce any potential opportunity for social engineering tactics to be used.
All employees should be aware of any work being done in their immediate work area. This means some kind of policy should be set in stone which trains those in that area to be familiar with, should a new person be present in their work areas. Things like locking their computers when not in use, not leaving any sensitive information written down and out in the open view, and not allowing people to “shoulder surf”, are the best tactics to use against social engineering.
Level: Common Sense
In Part 1, I discussed password creation, complexity, and how it relates to securing your personal data assets. The same set of rules apply as an employee as well. Don’t set your passwords for your work accounts to things like “lovemyjob123” or “techguy83”, it’s only going to lead to poor security and a larger attack space for your account at work. Furthermore, don’t share passwords across accounts, especially between personal and work. As discussed in Part 1, a solid password manager like LastPass should be used to handle all of your work accounts and generate secure passwords that are not easily compromised.
Phishing is almost exactly like it sounds (“fishing for information”), it’s the attempt of a malicious third party to exfiltrate data or have an employee perform some kind of action by spoofing communications (typically via crafted email or website) in order to gain access to and defraud an account. Phishing can be used to steal anything from usernames and passwords, credit card numbers, all the way to high-dollar money transfers.
As the saying goes, “If it sounds too good to be true, it probably is”. When it comes to phishing attempts, this is all too true. The free iPad spam emails that require you to sign into a site with your credentials to redeem your prize are phishes; the sudden redirection to a dropbox.com account sign-in page without prompt is a phishing attempt. If you receive an unexpected email from your bank about a money transfer authorization, it’s probably not real; to be sure, separately search for your bank’s phone number, don’t use any data or links for that email, and confirm with the actual bank what is happening. Be suspicious, be wary, stay frosty.
In the example image below, a wire transfer request was made by a phisher through a VERY convincing email message purporting to be USAA. One way to ensure your safety in the event of a phish attempt is to take a look at any links within an email; that is, don’t click on them, but hover your cursor over them and check the URL that it would be sending you to. For example, hover your cursor over this link: www.google.com. The link text says it’s google.com, but the actual hyperlink points at yahoo.com. This is a non-threat example, but this very basic tactic is used in phishing by assuming that a user is going to simply click on the next in front of their face without question. Sadly, this happens all too often.
Pictured here is an example Email from Cornell University https://it.cornell.edu/phish/4113.
These crafted emails and websites are not always easy to identify and even the most careful and observant user can be hit by the phish. A well-known security vendor in the industry, SonicWall, created a “Phishing IQ Test” if you’d like to take a stab at checking your phishing identification skills.
Level: Common Sense
Using personal email for business activities (and vice versa) is the wrong thing to be doing. As an employee of a company you are more likely to be targeted by phishing scams and malicious emails at your company email address, and are more likely to receive the “Hot Girls in your area” or “Low-cost Viagra” spam email at your personal address. Both of these kinds of emails are malicious and unwanted and can cause serious damage in both environments.
Level: Common Sense
Many organizations have a BYOD (Bring Your Own Device) policy in place for employees to use their personal cell phones for work. If this is the case, there are likely many policies and procedures outlined in the company’s handbook for acceptable use on these devices.
It should go without saying, but it is going to be said, “Regardless of company policy, do NOT put company information on your personal device.” This means no email on your personal phone, no photos of client sites or the server room, or any part of the facility. No texts with your boss or coworkers about work related things.
If you go out to the bar or dinner after work and you leave your phone on the table, or someone comes along and swipes it while you aren’t paying attention, the data on it is gone. Not just your data, but any company data that you have on it. If your organization offers a BYOD policy, also inquire if they provide devices instead, because it’s always better to keep your company data separate from your personal.
The reasoning behind this is that if your device is compromised for any reason and contains company data, their data along with your own is vulnerable. Some vendors like Samsung offer a sandboxed environment (called “Knox” mode by Samsung) which keeps your personal data and business data separate and requires different (if set-up correctly) authentication for each profile/mode.
Unauthorized / Non-Company Devices
Level: Common Sense
This might seem trivial or even silly, but don’t plug in random devices that you find laying around the office. One of the fastest ways to compromise a computer is to count on a random employee plugging in a flash drive they find in the parking lot, or in the breakroom somewhere after a “red team” operation has taken place and someone has compromised the physical building via social engineering or other means.
The best policy is to take any unidentifiable device to the IT department to have them investigate as they are more likely to have a sandboxed environment or “test machine” they can use that is off-network and exists solely for the purpose of this kind of event. Devices that cannot be confirmed to be company owned such as flash drives, external hard drives, SD Cards, phones, laptops, etc. should be immediately removed from active use and disallowed to connect to the company network or any sensitive equipment within the organization. Plugging in or connecting these devices opens up your workstations, servers, and network to malware, backdoors, rootkits, keyloggers, and ransomware through auto running executables and malicious files.
Level: Common Sense
Illegal activity on a company network is a common occurrence and can lead to information leaks. Music streaming, movie streaming, illegal downloads (torrents), and pirated software on a network can have serious consequences from a legal, financial, and information security standpoint. Using software that connects to random places on the Internet to download files and/or stream media can result in the download of malware or remote access software.
Imagine for a moment that your boss found that you were torrenting illegal applications on the company network and hardware to use in your environment to accomplish some task. Not only are you liable for any damages caused by the illegal downloads, but the company will be liable for any financial costs in licensing or legal fees to right the wrong caused by your actions. Not only this, but there could be further reaching implications because of this activity including (but not limited to) company reputation loss (resulting in financial losses), confidential data disclosure such as proprietary code or paperwork, customer or personnel data, etc.
That pirated copy of photoshop you downloaded so you could make the image for the latest blogpost, memo, or website change prettier could have just cost you your job, the company thousands of dollars in damages versus hundreds in licensing, and contracts with clients that keep the lights on for the business.
The point is, don’t do these things on company time, the company network, or on company systems, because you can open yourself up to legal trouble, unemployment, malware, data disclosure, and a damaged reputation.
“When in doubt, throw it out” is an old saying that is used to prevent food poisoning. This thinking also applies to information security from an employee perspective because you don’t want to poison your confidential and/or sensitive data. In Part 3 of this blog series, I will discuss the basics of organization-wide information security strategies and topics.