为什么它的时间停止主叫用户ts n00bs

Share on Twitter
Share on Google+
Share on LinkedIn
Share on Reddit
This is a guest post by Sophos security expert James Burchell.James has appeared on Naked Security and Sophos News before, live in person in videos and podcasts. This is his first written article – we’re looking forward to his next!
October is National Cybersecurity Awareness Month (NCSAM) and this week’s theme is Cyber­security in the workplace is everyone’s business.

Naked Security asked me what I’d do to make cybersecurity into a company-wide deal, rather than just relying on programmers and IT gurus to keep us all safe.
After all, even if we were able to write bug-free code and deploy it perfectly, cybersecurity would still be a massive problem, because one of the biggest risks to any organisation is a biological one – humans!
If you’re a techie or on the IT staff inside your company, you’ll know what I mean: you love users, yet you hate them; you call them n00bs; you deal with 1d10t errors on a daily basis.
Nevertheless, you also have to acknowledge that they’re inside every network, amongst some of your organisation’s most closesly guarded secrets.
So, here’s how I see the problem.
Sophos Home
Free home computer security software for all the family
Learn More
In today’s world, every organisation can be considered a high-tech business.
Modern technology enables your business to reach more customers, and allows your humans to be more productive, though sometimes in a less controlled way than you might like.
The same technology, unfortunately, allows the Bad Guys to reach your business in a myriad of different ways, too.
Believe it or not, most of the actions performed by your humans are not done with malicious intent.
Alice didn’t mean to lose her laptop, Bob didn’t realise that he was sending that email to the wrong person and Charlie genuinely thought he received a parcel delivery notification from his courier.
Yet, after nearly 30 years of trying and billions of pounds in investment, we are still struggling with cybersecurity because we often fail to recognise that the issue is more than just a technical problem.
The human firewall
So rather than looking at your humans and wondering about what PEBKAC [] issues you’ll have to deal with next, instead look at them as having the potential to be individual human firewalls.
Weaponise them with enough knowledge to recognise a potential attack on their human emotions, and instil trust in them that they won’t be cast to the lions if they accidentally click on a link suggested by a hoodie-wearing hacker who’s sitting on the other side of the world.
Do that, and you will have one of the best detection and remediation systems that money can buy.
Create awareness
Create awareness around the office.
Get buy-in from a senior member of the organisation and consider having a dedicated area on the intranet where people can ask questions or as a place where you can post useful hints and tips, such as where to find great free security tools for personal use. (Sophos Home would be a good suggestion!)
Once you’ve created awareness, the natural progression is to measure who within your organisation is susceptible to phishing attacks – this is something that a phishing simulation toolkit can help you to identify.
If staff fail your phishing tests, don’t call them out or embarrass them – give them personal counselling to help them improve, to reduce the chance they’ll fall for phishing tricks again, and to get them on your side so they are ready to report potential security problems in the future rather than to sweep them under the carpet and hope no one notices.
Don’t ignore a particular department or person just because they are too busy or seem too important – those are great reasons for a cybercriminal to target them specifically, so make sure they’re included in your awareness activities.
Don’t be grumpy and mean
You’ll also win friends and influence people if you take care to show that not everyone in IT is there to be grumpy and mean.
Why not find a way to reward people for identifying potential security issues, all the way from keeping an eye out for tailgaters trying to slip into the building, to reporting dodgy emails with suspicious links and attachments?
Consider something as simple as having a jar of sweets or chocolate in the IT area so that people want to come and talk about security.
Or enter everyone who contacts you with a concern or reports a potential security issue into a monthly raffle for a prize such as a gift voucher.
Build a security team of everyone
Just think of the malware scare when Charlie clicked on that phishing email, and the position you found yourself in running around to figure out what happened.
Is it better for Charlie to hide what he’s done, fearing reprisal or ridicule from the IT team, or for him to approach you quickly and warn you about what just happened?
The latter would certainly put you in a better position to respond…
…so putting humans into your threat and risk assessments and creating a culture of security will put you and your business in a great position to face whatever comes next.
At the end of the day, every employee should be a part of the security team.
分享推特
分享谷歌
分享LinkedIn
分享在Reddit
这是由Sophos的安全专家James Burchell做客后,杰姆斯已经出现在赤裸的安全,Sophos消息之前,生活在视频和播客的人。这是他的第一篇文章。
十月是国家网络安全意识月(ncsam)本周的主题是网络
裸体保安问我什么
毕竟,即使我们能够编写无缺陷的代码并完美地部署它,网络安全仍然是一个巨大的问题,因为任何组织面临的最大风险之一是生物性的——人类!
如果你
不过,你也不得不承认,他们在每一个网络,其中的一些你的组织
所以,在这里
Sophos的家
所有的家庭免费上门电脑安全软件
了解更多
在今天
现代技术使你的企业能够接触更多的客户,并让你的员工更有效率,尽管有时你的控制方式可能比你所希望的要少。
不幸的是,同样的技术也允许坏人以各种不同的方式接触到你的生意。
信不信由你,你们人类所做的大部分行为并不是恶意的。
爱丽丝并没有失去她的笔记本电脑,鲍伯没有意识到他把那封电子邮件发送给了错误的人,而查利真的认为他收到了快递员的包裹递送通知。
然而,经过年的努力和数十亿英镑的投资后,我们仍然在与网络安全作斗争,因为我们常常没有意识到这个问题不仅仅是一个技术问题。
人类的防火墙
而不是看你的人和不知道什么pebkac [ ]问题要处理的下一步,而不是看他们已经是个人防火墙的潜力。
前他们有足够的知识来识别他们的人类情感的一个潜在的攻击,并灌输信任他们,他们不会投给狮子如果他们无意中点击一个链接的连帽衫穿着黑客坐在世界的另一边的人的建议。
做到这一点,你将有一个最好的检测和补救系统,金钱可以买到。
创造意识
在办公室周围创造意识。
从一个组织的资深成员那里购买,并考虑在Intranet上有一个专门的区域,人们可以在这里提问,或者作为一个地方发布有用的提示和提示,比如在哪里可以找到用于个人使用的免费安全工具。(Sophos的家会是一个很好的建议!)
一旦你建立了意识,自然发展就是衡量你的组织内谁容易受到网络钓鱼攻击。
如果员工失败了你的网络钓鱼测试,唐



为什么不找到一种方式来奖励人们识别潜在的安全问题,所有的方式从留心追随者们试图进入大楼,报告可疑的电子邮件的可疑链接和附件?
考虑一些简单的事情,比如在IT领域里有一罐糖果或巧克力,这样人们就可以来谈谈安全问题。
企业应该在被黑客攻击利益受损时及时报案,寻求专业的网络安全调查取证服务,共同打击商业间谍等不良黑客行为。
或输入每个人与你联系,或担心潜在的安全问题,每月抽奖等奖品,如礼券。
LMS学习管理系统管理员快速操作指南
建立一个人人安全的团队
试想一下,当查利点击钓鱼邮件时,恶意软件的恐慌,以及你发现自己在到处寻找到底发生了什么。
这是更好地为查利隐瞒他做什么,因为担心遭到报复或嘲笑的IT团队,或者他接近你快速提醒你发生了什么事?
后者当然会给你一个更好的位置来回应
在一天结束的时候,每一个员工都应是安全团队的一部分。
各部门要按照“谁主管谁负责、谁运营谁负责”的原则,切实负责本系统、行业内各类信息网络和重要信息系统的安全管理工作。

猜您喜欢

信息安全职业发展的顶级职位与职责
针对一线员工的职业卫生安全管理体系培训教程
网络安全法宣传推广视频 https://v.qq.com/x/page/p050493s0f5.html
雨一直下!新浪新闻现场直击安徽暴雨
OVALO24 GSTBOCES
中国企业走向全球,国际化人才要接地气,融中西,海外风险与安全基础知识素养要强化: