Question

Criminals are familiar with human nature. They will use whatever is in their arsenal to attack your organization and the people who work with you. No one who interacts with others is immune. You must educate your end users to

• Be very suspicious of any phone calls, visits, or email messages that they did not initiate. If you get requests for information about other employees, try to verify the identity of the requesters. If it's legitimate, they will provide credentials. If they have malicious intent, they will usually give up and try to find easier prey.
• Do not ever reveal personal or financial information in email, and do not respond to email solicitations requesting this information. This includes clicking the links sent in an email. Banks will never ask for your PIN. The IRS will never call you.
• Pay close attention to the URL of a website linked in the email or SMS message. Malicious websites may look very similar to a legitimate site. If you know the URL of the site they want you to visit, type it in yourself. Do not click the link.
• If you are unsure whether an email request is legitimate, forward it to your IT incident and response team. Do not use contact information provided on a website connected to the request.
• Install and maintain antivirus software, firewalls, and email filters.
• Block ads and pop‐ups whenever possible. When you click an ad, you are susceptible to a number of attacks like downloading malware or clickjacking.

Another of my favorite resources is Lance Spitzner, director of SANS Security Awareness. He says, “People are not the weakest link today, they are the most common attack vector.” One of the biggest takeaways that SANS offers to everyone are its OUCH! newsletters. If you have not subscribed, then I highly recommend you put this book down long enough to Google SANS OUCH! OUCH! is a free security‐awareness newsletter designed for everyone, not just IT professionals. These newsletters are published every month in multiple languages and are scrupulously reviewed by other SANS instructors. You can go back several years or search for a specific category.

A couple years back, I was tasked with coming up with some security awareness training for a software security company I worked for. I would print out the SANS OUCH! newsletters and put them above the coffee pot in the breakroom, on the mirror between the sinks in the bathroom, or above the copier. I put them wherever I knew people congregated or were a captive audience. Every other month, I would have a contest that would involve some of the information in the newsletter, and the reward could be a day off or some type of recognition. People started paying attention. When IT periodically phished our internal employees, they recognized the telltale signs and were able to send that phishing to the proper authorities at the company.

If you think you've been a victim of a social engineering campaign and have revealed sensitive information, report it to the right people—including network administrators. They have tools and can be on the alert for any suspicious behavior. If you believe you have financial accounts that have been compromised, contact that organization immediately. Close that account and watch for anything unexplainable. Watch your credit reports for any accounts that are opened that you did not authorize. I have my credit and my children's credit accounts locked down. Unfortunately, I was a victim a few years ago in the U.S. Office of Personnel Management hack, and in my clearance paperwork was all the personally identifiable information about my family.

Lastly, password hygiene is a fiercely debated topic in IT. If you think you're compromised, immediately change any passwords you might have revealed. If you use the same password on multiple sites for different accounts, change those as well, and don't ever use that password again. Some sites require the password to be a certain length with uppercase, lowercase, and special characters. Some people swear by using password managers like LastPass, Keeper, and Dashlane. A password manager is a tool that does the work of creating and remembering all the passwords for your accounts. For me, it sounds great but is a single point of failure.

To make accounts safer, you should make sure your passwords are

• Long and complicated. Ideally, your password should be totally randomized with uppercase and lowercase letters, making it very difficult to remember. Try to create a long password out of one of your favorite books—for example, Wh0i$J0hnG@1t!
• Do not write them down or use birthdays.
• Always use multifactor authentication, whenever possible.
• Don't be too terribly social on social media. Nearly 90 million Facebook accounts had their profile information shared by researchers using a third‐party quiz app. If you aren't paying for it, you are the product. Nothing is ever truly private on social media.

Lastly, if you have chosen to create your passwords yourself, you do have another option. A friend of mine, Michael Hawkins of Wantegrity, has a site he built especially for his customers but has made it available to anyone who would like to play with it. If you visit www.wantegrity.com/passwords.php , you can use your regular‐sized normal password as the master key and the account you are using it on as the site key. As you see in Figure 13.1 , you enter your password and account and generate a unique complicated password for that credential pair. If you're concerned about password‐harvesting, right‐click and review the code. What's typed on the page stays on the page.

Figure 13.1 : Creating unique credentials for web accounts