1 00:00:00,600 --> 00:00:02,620 User education, 2 00:00:02,620 --> 00:00:05,180 you know being in IT would be great if it wasn't 3 00:00:05,180 --> 00:00:06,280 for all the users. 4 00:00:06,280 --> 00:00:09,200 My job as a security professional would be so easy 5 00:00:09,200 --> 00:00:10,750 if there weren't any users. 6 00:00:10,750 --> 00:00:12,970 I've heard people say this stuff all the time. 7 00:00:12,970 --> 00:00:15,130 The problem is we have to realize in IT, 8 00:00:15,130 --> 00:00:16,420 we're in customer service, 9 00:00:16,420 --> 00:00:19,170 if there were no users, there'd be no need for our network, 10 00:00:19,170 --> 00:00:20,550 and we'd be out of a job! 11 00:00:20,550 --> 00:00:22,560 So, it's important that we have these users. 12 00:00:22,560 --> 00:00:25,670 The problem is, users are our number one vulnerability 13 00:00:25,670 --> 00:00:27,510 in the network, as a security professional, 14 00:00:27,510 --> 00:00:29,850 I can install all the technology I want, 15 00:00:29,850 --> 00:00:33,210 but if I don't fix the user, it's all going to be for nothing. 16 00:00:33,210 --> 00:00:36,170 I can put firewalls and intrusion prevention systems, 17 00:00:36,170 --> 00:00:38,600 and host based security systems and all sorts of other 18 00:00:38,600 --> 00:00:40,770 stuff to protect my network, 19 00:00:40,770 --> 00:00:43,230 but if the user clicks okay or accept, 20 00:00:43,230 --> 00:00:45,720 and let's the bad guy in, it's just going to go 21 00:00:45,720 --> 00:00:47,200 right through all of it, right? 22 00:00:47,200 --> 00:00:49,180 Think about when we talked about a firewall, 23 00:00:49,180 --> 00:00:51,980 a firewall blocks things from coming in from the outside. 24 00:00:51,980 --> 00:00:54,580 But, when you're using a stateful firewall and somebody 25 00:00:54,580 --> 00:00:57,100 goes to a website, it actually opens a port on 26 00:00:57,100 --> 00:00:59,770 the firewall, and requests them to come back in. 27 00:00:59,770 --> 00:01:01,970 And that means if you go to a malicious website, 28 00:01:01,970 --> 00:01:04,200 it can go in through your firewall that way, right? 29 00:01:04,200 --> 00:01:05,750 And so this is something you have to make sure 30 00:01:05,750 --> 00:01:06,950 you're training your users. 31 00:01:06,950 --> 00:01:08,590 There's a lot of things we need to cover when we're 32 00:01:08,590 --> 00:01:09,800 talking with our users. 33 00:01:09,800 --> 00:01:11,360 Some of the big basics here. 34 00:01:11,360 --> 00:01:13,300 First, teach them to never give out 35 00:01:13,300 --> 00:01:14,750 their authentication details. 36 00:01:14,750 --> 00:01:17,090 That means don't let people give our their passwords, 37 00:01:17,090 --> 00:01:19,860 their PIN numbers, showing their ID badges from their 38 00:01:19,860 --> 00:01:22,340 company that people can make copies of, 39 00:01:22,340 --> 00:01:25,790 giving out their security tokens like their RSA key fobs, 40 00:01:25,790 --> 00:01:29,100 or their smart cards, none of that, never share details 41 00:01:29,100 --> 00:01:31,821 of your authentication or your authentication systems. 42 00:01:31,821 --> 00:01:34,610 Next, any time you're entering in a PIN number 43 00:01:34,610 --> 00:01:37,200 or a password, you want to make sure people can't see 44 00:01:37,200 --> 00:01:38,050 what you're doing. 45 00:01:38,050 --> 00:01:39,800 Think about it, if you went to the ATM to go 46 00:01:39,800 --> 00:01:42,760 take out $50, you're going to make sure nobody is seeing you 47 00:01:42,760 --> 00:01:44,530 putting your secret PIN number, right? 48 00:01:44,530 --> 00:01:46,600 I know I kind of put my hand like this to make sure people 49 00:01:46,600 --> 00:01:48,580 can't see it, that's the idea here. 50 00:01:48,580 --> 00:01:50,120 You always want to shield those key pads, 51 00:01:50,120 --> 00:01:52,020 the same thing when you're entering in your PIN number 52 00:01:52,020 --> 00:01:53,850 for a smart card, or you're entering in your 53 00:01:53,850 --> 00:01:55,510 password on your machine. 54 00:01:55,510 --> 00:01:58,290 Also, you want to make sure your organization sets up what's 55 00:01:58,290 --> 00:02:00,060 known as a clean desk policy 56 00:02:00,060 --> 00:02:01,580 and you want to enforce this. 57 00:02:01,580 --> 00:02:03,350 Now, what's a clean desk policy? 58 00:02:03,350 --> 00:02:06,150 It means at the end of the day, your desk is clean. 59 00:02:06,150 --> 00:02:08,320 All of your files and folders should be put away 60 00:02:08,320 --> 00:02:11,140 in locked drawers, that way, when you leave the building, 61 00:02:11,140 --> 00:02:13,880 nobody can come in and look through your files. 62 00:02:13,880 --> 00:02:16,480 Next, you want to screen your e-mails and your phone calls 63 00:02:16,480 --> 00:02:18,820 carefully and you want to keep a log of any events 64 00:02:18,820 --> 00:02:20,340 that seem suspicious to you. 65 00:02:20,340 --> 00:02:22,610 So if I call out and asking you questions about how 66 00:02:22,610 --> 00:02:25,730 you get your shipments or how people get into your company, 67 00:02:25,730 --> 00:02:27,390 or what kind of toner you're using, 68 00:02:27,390 --> 00:02:29,610 or any of those other pretexts that I may use, 69 00:02:29,610 --> 00:02:32,400 you want to log that and let your security personnel know. 70 00:02:32,400 --> 00:02:33,960 Another thing you want to train your users, 71 00:02:33,960 --> 00:02:35,740 is how to protect their e-mails 72 00:02:35,740 --> 00:02:38,000 and they do this by using encryption. 73 00:02:38,000 --> 00:02:40,190 You as the technical person are going to set up that 74 00:02:40,190 --> 00:02:42,080 encryption, you're also going to set up encryption for 75 00:02:42,080 --> 00:02:43,600 your voice calls, through voipt. 76 00:02:43,600 --> 00:02:46,040 And you're also going to set up encryption for data at rest, 77 00:02:46,040 --> 00:02:47,860 data in transit and data in use 78 00:02:47,860 --> 00:02:49,730 but you have to train your users on 79 00:02:49,730 --> 00:02:51,230 how to use that encryption. 80 00:02:51,230 --> 00:02:53,100 So, that's on you to make sure they're getting that 81 00:02:53,100 --> 00:02:55,020 in their annual training. 82 00:02:55,020 --> 00:02:57,680 Also, you want to train your users to never pick up 83 00:02:57,680 --> 00:03:00,430 and never make use of any removable media. 84 00:03:00,430 --> 00:03:03,880 If you find a DVD, a CD, or a thumb drive on the floor 85 00:03:03,880 --> 00:03:06,390 or in the parking lot, they should take it to security 86 00:03:06,390 --> 00:03:08,690 and it should be disposed of, it should never be plugged 87 00:03:08,690 --> 00:03:11,380 into your system because that might have malware 88 00:03:11,380 --> 00:03:12,680 and malicious things on there 89 00:03:12,680 --> 00:03:14,800 that are going to infect the network. 90 00:03:14,800 --> 00:03:17,140 Also, when you're dealing with physical paper, 91 00:03:17,140 --> 00:03:19,040 want to make sure that physical paper is shredded 92 00:03:19,040 --> 00:03:20,220 when you're not needing it. 93 00:03:20,220 --> 00:03:22,940 So any sensitive information doesn't just go in the trash 94 00:03:22,940 --> 00:03:25,140 or recycling, it gets shredded first. 95 00:03:25,140 --> 00:03:28,370 That includes things like phone lists, personnel records, 96 00:03:28,370 --> 00:03:30,590 password logs, anything like that. 97 00:03:30,590 --> 00:03:32,500 All of it needs to be shredded. 98 00:03:32,500 --> 00:03:34,260 Next, you want to make sure you're complying with 99 00:03:34,260 --> 00:03:36,870 company policies for data handling and disposal 100 00:03:36,870 --> 00:03:39,520 and teaching those policies to all of your users. 101 00:03:39,520 --> 00:03:41,910 So when you start talking about data handling and disposal, 102 00:03:41,910 --> 00:03:43,750 how are we going to destroy things 103 00:03:43,750 --> 00:03:45,250 when we no longer need them? 104 00:03:45,250 --> 00:03:47,010 How are we going to get rid of hard drives 105 00:03:47,010 --> 00:03:49,020 that are no longer needed by the organization? 106 00:03:49,020 --> 00:03:50,340 Are we going to format them? 107 00:03:50,340 --> 00:03:51,730 Are we going to wipe them? 108 00:03:51,730 --> 00:03:53,410 Are we going to degouze them? 109 00:03:53,410 --> 00:03:55,090 It all depends on your policies, 110 00:03:55,090 --> 00:03:56,520 whatever those policies are, 111 00:03:56,520 --> 00:03:58,540 make sure people in the organization know it 112 00:03:58,540 --> 00:04:00,970 and you train that to your users. 113 00:04:00,970 --> 00:04:02,570 When you're doing things for shipment, 114 00:04:02,570 --> 00:04:04,680 you want to make sure you're preventing diversion theft. 115 00:04:04,680 --> 00:04:05,610 How do you do that? 116 00:04:05,610 --> 00:04:07,730 You track those shipments and you know when they're 117 00:04:07,730 --> 00:04:09,660 coming and where they're going. 118 00:04:09,660 --> 00:04:13,170 And finally, teach your users good web security. 119 00:04:13,170 --> 00:04:14,660 Any time they're using a web browser, 120 00:04:14,660 --> 00:04:16,620 they need to be extremely careful. 121 00:04:16,620 --> 00:04:19,090 Anything they click on could be bringing malware 122 00:04:19,090 --> 00:04:20,550 into your organization 123 00:04:20,550 --> 00:04:22,100 so you want to make sure they understand 124 00:04:22,100 --> 00:04:23,860 what is allowed and what isn't. 125 00:04:23,860 --> 00:04:26,490 And personally, I prefer inside your organization 126 00:04:26,490 --> 00:04:29,650 if you use a white list approach to using the web. 127 00:04:29,650 --> 00:04:32,540 That means you give them authorized sites they can go to 128 00:04:32,540 --> 00:04:35,310 instead of trying to block sites that they can't go to. 129 00:04:35,310 --> 00:04:37,950 Because when you try to block sites that they can't go to