Safeguard 14 - Security Awareness and Skills Training
In a report by the IBM Cyber Security Intelligence Index, human error was reported to be a major contributor in 95% of successful cybersecurity attacks. Computer systems are as vulnerable as the people that use them. There are even types of attacks that rely on people's trust called social engineering attacks. Phishing, for example, is when people are tricked into giving away sensitive information or installing malware because of a misleading message or website.
Knowing how to recognize social engineering attacks and prevent accidentally leaking sensitive data is the best defense against these attacks.
14.1 - Establish and Maintain a Security Awareness Program
The Virginia Tech IT Security Office (ITSO) provides several security awareness resources for faculty, staff, and students. Additionally, it provides in-person security awareness training, previous awareness training slides and videos, and the Securing the Human security awareness course from SANS.
Good security awareness includes knowing how to keep your operating system and applications up to date, recognizing malware and social engineering attacks, creating and managing secure passwords, and staying safe online.
Malware is software designed to steal information or harm devices. An overview of malware types and safeguards against it can be found in the Malware Defenses documentation. Information about malware and how it affects devices can be found as part of the Malware section of the security awareness materials.
Strong, unique passwords prevent your accounts from being compromised by brute-force attacks. Brute forcing is when an attacker tries to access an account by guessing a password. It's fairly simple to create a list of common and previously compromised passwords and have a program automatically use that list to see what works. It's also important to keep written passwords out of plain sight, instead of on a computer monitor or desk.
Information about password security best practices can be found as part of the Passwords section of the security awareness materials. To change or reset your password, refer to the 4Help Changing or Resetting My Password knowledge base article. Additionally, check the Password Rules or Safeguard 5.2 of the Account Management documentation for guidelines on creating a secure password.
Wireless Network Safety
Data that goes through an unsecured network such as usernames and passwords can be easily stolen. Never send personal information when connected to an untrusted network. Free public wifi is often unsecured and should be avoided as much as possible.
- Don't use unsecured networks like free public wifi.
- Don't use wifi networks secured with Wireless Equivalent Privacy (WEP). Instead use networks secured with Wireless Protected Access II (WPA2).
- Disable shared folders.
More information about wireless network safety can be found as part of the Wireless Network Safety section of the security awareness materials.
Social Network Safety
Social media can be used against you to gain personal information. By being mindful of posting habits and utilizing privacy settings, you can stay safe while connecting with friends and family on social media.
Social Media Security Tips
- Never post sensitive information. Don't post pictures that include sensitive personal or work-related information in them.
- Be mindful of your posting. Don't post inappropriate pictures or take part in inappropriate groups.
- Once it's online, it's online forever. Even if you delete a page or post, someone at some point could have archived or screenshot it.
- Use privacy settings on social media to limit viewing to only the people your comfortable sharing with.
More information about social network safety can be found as part of the Social Network Safety section of the security awareness materials.
Request an Awareness Training Session
- Log into 4Help.
- Go to Service Catalog > Security > Awareness Training.
- Click or tap Request this service.
- Fill out the request form and click Submit.
14.2 - Train Workforce Members to Recognize Social Engineering Attacks
All workforce members should be able to recognize social engineering methods used by attackers to gain access and information.
What is Social Engineering?
Social engineering is a set of attack methods that exploits people's trust to gain sensitive information or special access or get them to do something they shouldn't, such as sending money, sharing sensitive files, or installing malware.
Phishing is when an attacker creates a misleading message, email, and/or website to trick people into giving away personal information. This could include your date of birth, answers to commonly asked security questions, social security number, or username and password.
Common Characteristics of Phishing Attacks
- Asking for sensitive information such as your username and password, social security number, date of birth, or payment information.
- Contains a misleading link leading to an unknown website. Following the link will either ask for information, pretend to be a well-known website, or make your computer download malware.
- The sender's email is misleading or forged to look like someone from a legitimate organization.
Spear phishing is a specialized type of phishing that targets an individual or group. Unfortunately, this kind of phishing is becoming more common at Virginia Tech. For example, an email may go to all engineering undergrads advertising a job that's high paying, but the sender's email is not a
@vt.edu email and the phone number in the email signature has been changed to the sender's virtual phone rather than an official number for a Virginia Tech department.
- Always check the sender's email. Don't trust unsolicited emails sent from non-VT email addresses.
- Never respond to messages that ask to verify or update information or ask for personal information such as your date of birth, PID, or password.
- Never call phone numbers provided in emails asking for information.
- Keep antivirus software and your device's firewall up to date.
- Report phishing emails as spam.
Tailgating is when someone gets into a building or area that requires special access by following someone with access in. If you need to swipe an ID card or enter a PIN code to get into a building, don't let people come in behind you without doing the same. While holding the door is usually a polite and harmless thing to do, it should not be done in secured areas.
Pretexting is a special type of social engineering attack that is built around a certain pretext to impersonate and trick members of an organization to give away sensitive information.
In 2006, Hewlett-Packard's chairwoman Patricia Dunn wanted to identify the source of an information leak, so she hired a team of security experts to conduct an investigation. The security experts hired investigators that impersonated board members to obtain their phone records. Their pretexting methods quickly turned the investigation into a scandal.
Securing the Human Training
All Base Compliant employees are required to take the online SANS course, Securing the Human IT Security Awareness Training, in order to learn how to recognize social engineering attacks. The training is valid for one year and can be renewed by taking an Annual Renewal version of the course.
The Securing the Human training introduces people to understanding the IT threats that the university faces, how to spot and avoid cyber attacks, and basic data security practices. This course is best-suited for individuals who are unfamiliar to IT security concepts.
Enroll in Securing the Human Training
- Ensure you are logged in to PageUp Talent Management System.
- Use this link, Securing the Human IT Security Awareness Training - New Employees / Initial Training, to access the training.
- Click Learn now.
Renew Existing Securing the Human Training
- Ensure you are logged in to PageUp Talent Management System.
- Use this link, Securing the Human Annual Renewal IT Security Awareness Training, to access the training.
- Click Learn now.
14.3 - Train Workforce Members on Authentication Best Practices
Workforce members should know authentication best practices such as multifactor authentication (MFA), secure password creation, and password management. For information on each of these topics, see the Account Management documentation and Authenticating using Duo 2-Factor Authentication knowledge base article.
14.4 - Train Workforce on Data Handling Best Practices
Workforce members should be trained to properly manage and secure data. This includes storing, transferring, archiving, and destroying data. Additionally, employees should keep a clear screen and desk policy. That is, desks should be cleared of any sensitive information and valuables; computer screens should automatically lock after idling, and whiteboards should be cleared after meetings. For information and procedures on data handling, refer to the Data Protection documentation.
14.5 - Train Workforce Members on Causes of Unintentional Data Exposure
All workforce members should be trained to follow the Data Exposure Response Procedure. For a list of Data Trustees and Data Stewards, please refer to the Administrative Data Management Standard. Some information and procedures from this standard can also be found in the Data Protection documentation.
14.6 - Train Workforce Members on Recognizing and Reporting Security Incidents
All workforce members should be able to recognize a potential security incident and know how to report it to the IT Security Office. For instructions on how to report a security incident, refer to Safeguard 17.3 of the Incident Response Management documentation. This documentation also includes further information on the incident response guidelines and procedures at Virginia Tech.
14.7 - Train Workforce on How to Identify and Report if their Enterprise Assets are Missing Security Updates
Workforce members should be knowledgeable of how to check the system version of enterprise assets and the applications on them, along with how to report out-of-date software and any failures in automated processes and tools. Please consult the safeguards in the Continuous Vulnerability Management documentation, particularly Safeguard 7.3.
14.8 - Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
Workforce members should be trained to avoid transmitting enterprise data over insecure networks as much as possible. Insecure networks are any networks that you can connect to without typing in a password. Networks secured with Wireless Equivalent Privacy (WEP) should also be avoided as much as possible. Instead use networks secured with Wireless Protected Access II (WPA2). More information about wireless network safety can be found as part of the Wireless Network Safety section of the security awareness materials.
14.9 - Conduct Role-Specific Security Awareness and Skills Training
All Base Compliant Virginia Tech employees must take a security awareness training once a year. However, other roles may require additional training.
Application Security Training Resources
Application developers, administrators, and maintainers should refer to the Application Software Security documentation to view relevant procedures and information.
In addition to training materials, developers should refer to relevant secure coding guidelines for the technologies they're using.
Additionally, for guidance regarding web development security practices, please see the knowledge base (KB) article, Implementing Web Development Site Security.
To train in secure coding practices, there are courses from Carnegie Mellon University and the SANS Institute that offer certifications:
OWASP stands for the Open-source Web Application Security Project. It is a non-profit organization that creates open-source security-focused projects that are by the community, for the community. They focus on web application development, providing relevant tools, resources, educational materials, training, and community networking.
All of OWASP's projects are created and maintained by volunteers, and they are frequently updated to keep up with current trends and relevant cybersecurity threats.
OWASP Top Ten
The OWASP Top Ten is a document of the top ten most critical security vulnerabilities for web applications. It serves as a great resource for keeping up with current security trends as well as getting started with web app security.
Zed Attack Proxy
The OWASP Zed Attack Proxy (ZAP) is a free, open-source web application scanner. Its website contains the application download, a quick start guide, video tutorials, documentation, and more. The OWASP community has also created add-ons that can be used to expand ZAP's usage.
Secure Coding Practices Guide
The OWASP Secure Coding Practices Quick Reference Guide is a document that lists secure development practices that are applicable to all coding projects, regardless of programming language. This concise, easy-to-read document is only 17 pages long and is perfect for developers of all skill levels.
Security Knowledge Framework
The OWASP Security Knowledge Framework is a Python-Flask/Angular web application that serves as a training tool for developers. It can be run in a Kubernetes cluster or provided as a Software-as-a-Service (SAAS).
- Integrates OWASP's Mobile and Web Application Verification Standards.
- Contains over 150 interactive labs.
- Includes code examples.
- Comes with a vast knowledge base of vulnerability information, including best management strategies.
Web Security Testing Guide
The OWASP Web Security Testing Guide is a cybersecurity resource for web developers and security professionals. It goes through the best web application testing practices used by security professionals worldwide.
If you have questions that are not covered in these procedures, please contact the VT IT Security Office firstname.lastname@example.org for a consultation.